Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-8q1z-p2qp-nkbf
Vulnerability ID VCID-8q1z-p2qp-nkbf
Aliases CVE-2026-31455
Summary In the Linux kernel, the following vulnerability has been resolved: xfs: stop reclaim before pushing AIL during unmount The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still running. This is broken independently of any use-after-free issues - background reclaim and inodegc should not be running while the AIL is being pushed during unmount, as inodegc can dirty and insert inodes into the AIL during the flush, and background reclaim can race to abort and free dirty inodes. Reorder xfs_unmount_flush_inodes() to stop inodegc and cancel background reclaim before pushing the AIL. Stop inodegc before cancelling m_reclaim_work because the inodegc worker can re-queue m_reclaim_work via xfs_inodegc_set_reclaimable.
Status Published
Exploitability 0.5
Weighted Severity 5.0
Risk 2.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-366 Race Condition within a Thread
System Score Found at
cvssv3 5.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31455.json
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-31455
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-31455
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-31455
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2026-31455
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2026-31455
epss 0.00032 https://api.first.org/data/v1/epss?cve=CVE-2026-31455
cvssv3.1 5.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31455.json
https://api.first.org/data/v1/epss?cve=CVE-2026-31455
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31455
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2460673 https://bugzilla.redhat.com/show_bug.cgi?id=2460673
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31455.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0241
EPSS Score 0.00013
Published At May 7, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-23T05:40:58.144925+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 38.4.0