CVE-2026-31702

HIGH EPSS 2.1%
Published May 1, 20262mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 1, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount CPU. The unmount path then proceeds to call f2fs_destroy_page_array_cache(sbi), which destroys sbi->page_array_slab via kmem_cache_destroy(), and eventually kfree(sbi). Meanwhile, the bio completion callback is still executing: when it reaches page_array_free(sbi, ...), it dereferences sbi->page_array_slab — a destroyed slab cache — to call kmem_cache_free(), causing a use-after-free. This is the same class of bug as CVE-2026-23234 (which fixed the equivalent race in f2fs_write_end_io() in data.c), but in the compressed writeback completion path that was not covered by that fix. Fix this by moving dec_page_count() to after page_array_free(), so that all sbi accesses complete before the counter decrement that can unblock unmount. For non-last folios (where atomic_dec_return on cic->pending_pages is nonzero), dec_page_count is called immediately before returning — page_array_free is not reached on this path, so there is no post-decrement sbi access. For the last folio, page_array_free runs while the F2FS_WB_CP_DATA counter is still nonzero (this folio has not yet decremented it), keeping sbi alive, and dec_page_count runs as the final operation.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 6

VendorProductVersionRange
linuxlinux_kernel*≥5.6  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.84
linuxlinux_kernel*≥6.13  –  <6.18.25
linuxlinux_kernel*≥6.19  –  <7.0.2
linuxlinux_kernel7.1any
linuxlinux_kernel7.1any

References 6

  • git.kernel.org https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/57bc678f36ac03281e877c6b84877b43f964143f
  • git.kernel.org https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe
    Patch