{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "cafe563591446cf80bfbc2fe3bc72a2e36cf1060"
            },
            {
              "fixed": "81f44ed8c3f54abb7561ece774ea4cca5070b2f2"
            },
            {
              "fixed": "f50e7c325ab1207fe941555bcff659f6d7050572"
            },
            {
              "fixed": "9467d360be70e6ee55b0c1cd2a1f1424f57b5b85"
            },
            {
              "fixed": "47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1"
            },
            {
              "fixed": "add4982510f3b7c318a2dd7438bdc9c63171e753"
            },
            {
              "fixed": "2d6965581e164fa2ba3f7652ddae5535f6336576"
            },
            {
              "fixed": "4f71c8ba2dc009042493021d94a9718fbe2ebf27"
            },
            {
              "fixed": "383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9"
            },
            {
              "fixed": "fec114a98b8735ee89c75216c45a78e28be0f128"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.10.0"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.136"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.83"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.24"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.14"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.20.0"
            },
            {
              "fixed": "7.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31580.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbcache: fix cached_dev.sb_bio use-after-free and crash\n\nIn our production environment, we have received multiple crash reports\nregarding libceph, which have caught our attention:\n\n```\n[6888366.280350] Call Trace:\n[6888366.280452]  blk_update_request+0x14e/0x370\n[6888366.280561]  blk_mq_end_request+0x1a/0x130\n[6888366.280671]  rbd_img_handle_request+0x1a0/0x1b0 [rbd]\n[6888366.280792]  rbd_obj_handle_request+0x32/0x40 [rbd]\n[6888366.280903]  __complete_request+0x22/0x70 [libceph]\n[6888366.281032]  osd_dispatch+0x15e/0xb40 [libceph]\n[6888366.281164]  ? inet_recvmsg+0x5b/0xd0\n[6888366.281272]  ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]\n[6888366.281405]  ceph_con_process_message+0x79/0x140 [libceph]\n[6888366.281534]  ceph_con_v1_try_read+0x5d7/0xf30 [libceph]\n[6888366.281661]  ceph_con_workfn+0x329/0x680 [libceph]\n```\n\nAfter analyzing the coredump file, we found that the address of\ndc-\u003esb_bio has been freed. We know that cached_dev is only freed when it\nis stopped.\n\nSince sb_bio is a part of struct cached_dev, rather than an alloc every\ntime.  If the device is stopped while writing to the superblock, the\nreleased address will be accessed at endio.\n\nThis patch hopes to wait for sb_write to complete in cached_dev_free.\n\nIt should be noted that we analyzed the cause of the problem, then tell\nall details to the QWEN and adopted the modifications it made.",
  "id": "CVE-2026-31580",
  "modified": "2026-07-15T01:49:04.536390571Z",
  "published": "2026-04-24T14:42:10.874Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/81f44ed8c3f54abb7561ece774ea4cca5070b2f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9467d360be70e6ee55b0c1cd2a1f1424f57b5b85"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f50e7c325ab1207fe941555bcff659f6d7050572"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fec114a98b8735ee89c75216c45a78e28be0f128"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31580.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31580"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "summary": "bcache: fix cached_dev.sb_bio use-after-free and crash"
}