CVE-2026-31715

HIGH EPSS 2.1%
Published May 1, 20261mo ago · Modified Jun 19, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 1, 2026 1mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. The concurrent scenario that triggers the panic is as follows: F2FS_WB_CP_DATA write callback umount - f2fs_write_checkpoint - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA) - blk_mq_end_request - bio_endio - f2fs_write_end_io : dec_page_count(sbi, F2FS_WB_CP_DATA) : wake_up(&sbi->cp_wait) - kill_f2fs_super - kill_block_super - f2fs_put_super : iput(sbi->node_inode) : sbi->node_inode = NULL : f2fs_in_warm_node_list - is_node_folio // sbi->node_inode is NULL and panic The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is decremented to zero. As a result, f2fs_in_warm_node_list() may dereference a NULL node_inode when checking whether a folio belongs to the node inode, leading to a panic. This patch fixes the issue by calling f2fs_in_warm_node_list() before decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the use-after-free condition.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.1% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 3

VendorProductVersionRange
linuxlinux_kernel*≥4.19  –  <6.18.25
linuxlinux_kernel*≥6.19  –  <7.0.2
linuxlinux_kernel7.1any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0d40b26377f891e6dcb6efaf8ef9374c99be1b1d
  • git.kernel.org https://git.kernel.org/stable/c/1171f329cf1c175321251ac40fd126150d7ad1e8
  • git.kernel.org https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7be222de96c0f9eee6e65eeb017ef855ee185cfa
  • git.kernel.org https://git.kernel.org/stable/c/7dbdab4430e4654db9aacef12b9b3b8b29ca25cb
  • git.kernel.org https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ffb94770dbdfb5411be5d9f44a960b010ec890ad

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7
    Patch