CVE-2026-53129
In the Linux kernel, the following vulnerability has been resolved: fs/mbcache: cancel shrink work before destroying the cache mb_cache_destroy() calls shrinker_free() and then frees all cache entries and the cache itself, but it does not cancel the pending c_shrink_work work item first. If mb_cache_entry_create() schedules c_shrink_work via schedule_work() and the work item is still pending or running when mb_cache_destroy() runs, mb_cache_shrink_worker() will access the cache after its memory has been freed, causing a use-after-free. This is only reachable by a privileged user (root or CAP_SYS_ADMIN) who can trigger the last put of a mounted ext2/ext4/ocfs2 filesystem. Cancel the work item with cancel_work_sync() before calling shrinker_free(), ensuring the worker has finished and will not be rescheduled before the cache is torn down.
Affected versions
Linux kernel versions
4.6
and later are affected. Fixed in
6.12.91,
6.18.33,
7.0.10,
7.1
and their respective stable series.
References
4 totalFrequently asked questions
-
What is CVE-2026-53129?
CVE-2026-53129 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 4.6 onward and has been patched in 6.12.91, 6.18.33, 7.0.10 and others. CVE-2026-53129 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
-
Is there a patch available for CVE-2026-53129?
Yes — CVE-2026-53129 has been patched. Fixed versions include 6.12.91, 6.18.33, 7.0.10 and others. If you are running Linux kernel 4.6 or later up to the fix versions, apply the relevant patch for your kernel branch.
-
Is CVE-2026-53129 actively exploited?
No — CVE-2026-53129 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.