How to Fix CVE-2026-31580: bcache: fix cached_dev.sb_bio use-after-free and crash in Linux

By Sai Kiran Pandrala

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2026-31494: net: macb: use the current queue number for stats in Linux — net: macb: use the current queue number for stats in Linux
• How to Fix CVE-2026-31464: scsi: ibmvfc: Fix OOB access in Linux — scsi: ibmvfc: Fix OOB access in Linux
• How to Fix CVE-2026-28295: Ssrf in Red Hat Enterprise Linux 10 , Ssrf in Red Hat Enterprise Linux 10
• How to Fix CVE-2026-43124: Security Vulnerability in Linux , Security Vulnerability in Linux
• How to Fix CVE-2026-31392: Linux (Bundle Sibling) , Linux (Bundle Sibling)

Last verified: 2026-05-25

CVE-2026-31580 is a bcache: fix cached_dev.sb_bio use-after-free and crash in Linux Linux. Fix it by upgrading to 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, 7.1-rc1.

What is CVE-2026-31580?

CVE-2026-31580 is a bcache: fix cached_dev.sb_bio use-after-free and crash flaw in Linux Linux. The vendor has not published a verified CVSS metric at the time of writing. It is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

From the source record: In the Linux kernel, the following vulnerability has been resolved:

bcache: fix cached_dev.sb_bio use-after-free and crash

In our production environment, we have received multiple crash reports

regarding libceph, which have caught our attention:

[6888366.280350] Call Trace:
[6888366.280452]  blk_update_request+0x14e/0x370
[6888366.280561]  blk_mq_end_request+0x1a/0x130
[6888366.280671]  rbd_img_handle_request+0x1a0/0x1b0 [rbd]
[6888366.280792]  rbd_obj_handle_request+0x32/0x40 [rbd]
[6888366.280903]  __complete_request+0x22/0x70 [libceph]
[6888366.281032]  osd_dispatch+0x15e/0xb40 [libceph]
[6888366.281164]  ? inet_recvmsg+0x5b/0xd0
[6888366.281272]  ? ceph_tcp_recvmsg+0x6f/0xa0 [libceph]
[6888366.281405]  ceph_con_process_message+0x79/0x140 [libceph]
[6888366.281534]  ceph_con_v1_try_read+0x5d7/0xf30 [libceph]
[6888366.

Why it matters in practice: The blast radius depends on how the affected service is exposed. An internet-facing instance with no compensating controls is the highest-risk configuration.

## Am I affected?

You are affected if your installation of Linux matches a version listed in the **Affected** row above.

Debian/Ubuntu

dpkg -s linux | grep Version

RHEL/Rocky

rpm -q linux

## How to fix CVE-2026-31580

Apply the vendor patch. Target the build named in the **Fixed in** row above (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, 7.1-rc1). The runnable command set below covers the most common deployment patterns for Linux.

### Ubuntu / Debian

sudo apt-get update

sudo apt-get install --only-upgrade linux

dpkg -s linux | grep Version

### RHEL / CentOS / Rocky

sudo dnf upgrade linux -y

rpm -q linux

### After applying the patch
1. Restart the service or device so the patched binary loads.
2. Confirm the running version matches the **Fixed in** row using the verification command below.
3. Rotate credentials and API keys that the affected service could access if the asset was exposed during the disclosure window.

## If you can't patch immediately

Until the patch lands, narrow the attack surface with these runnable controls.

### Restrict network exposure
Block public access to the affected service at the perimeter. Allow only trusted source IPs.

Linux iptables: only allow trusted admin subnet

sudo iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 443 -j DROP

sudo iptables-save | sudo tee /etc/iptables/rules.v4

Windows firewall: only allow trusted admin subnet on management port

New-NetFirewallRule -DisplayName "Restrict-Mgmt-Allow" -Direction Inbound -Action Allow `

-RemoteAddress 10.10.10.0/24 -Protocol TCP -LocalPort 443

New-NetFirewallRule -DisplayName "Restrict-Mgmt-Deny" -Direction Inbound -Action Block `

-Protocol TCP -LocalPort 443

Mitigations are temporary. Apply the vendor patch as soon as a maintenance window opens.

## How to verify the fix worked

Confirm the patched build is the one actually running.

Debian/Ubuntu

dpkg -s linux | grep Version

RHEL/Rocky

rpm -q linux

Expected: a version at or above `6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, 7.1-rc1`.

Also worth doing: pull recent log windows for indicators of compromise listed in the vendor advisory, and re-run an authenticated vulnerability scan with up-to-date signatures.

## Frequently asked questions

**Is CVE-2026-31580 being exploited in the wild?**

As of 2026-05-25, CVE-2026-31580 is not listed in the CISA Known Exploited Vulnerabilities catalog. Watch the catalog and patch on a normal cadence; KEV status can change as exploitation evidence emerges.

**What is the CVSS score for CVE-2026-31580?**

A verified CVSS score is not listed in the public record for CVE-2026-31580. Check the vendor advisory and the NVD page for an updated metric.

**What version fixes this?**

Upgrade to 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, 7.1-rc1.

**Will a WAF or IDS rule alone close this?**

No. Network filters cut down opportunistic scans but they do not remove the flaw. The vendor patch is the only durable fix.

## References

- Official vendor advisory: https://git.kernel.org/stable/c/47fa09fe7f3e09df28a51cb2cbd8f5d2f7f6edc1
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-31580
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Additional reference: https://git.kernel.org/stable/c/add4982510f3b7c318a2dd7438bdc9c63171e753
- Additional reference: https://git.kernel.org/stable/c/2d6965581e164fa2ba3f7652ddae5535f6336576
- Additional reference: https://git.kernel.org/stable/c/4f71c8ba2dc009042493021d94a9718fbe2ebf27
- Additional reference: https://git.kernel.org/stable/c/383f7fec0de8cee1cf7ae1f9d9f14044a61f10f9

---
*Assembled from the official vendor advisory, the NVD record, and the CISA KEV listing on 2026-05-25. Always confirm against the vendor advisory before applying changes in production.*