CVE-2026-23234 (GCVE-0-2026-23234)
Vulnerability from cvelistv5
Published
2026-03-04 14:36
Modified
2026-04-13 06:02
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback(). Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue.
References
Impacted products
Vendor Product Version
Linux Linux Version: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff
Version: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff
Version: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff
Version: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff
Version: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff
Version: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff
Version: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff
Version: e234088758fca3a669ebb1a02d8bf7bf60f0e4ff
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0fb58aff0dafd6837cc91f4154f3ed6e020358fa",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "505e1c0530db6152cab3feef8e3e4da3d3e358c9",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "acc2c97fc0005846e5cf11b5ba3189fef130c9b3",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "995030be4ce6338c6ff814583c14166446a64008",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "a42f99be8a16b32a0bb91bb6dda212a6ad61be5d",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            },
            {
              "lessThan": "ce2739e482bce8d2c014d76c4531c877f382aa54",
              "status": "affected",
              "version": "e234088758fca3a669ebb1a02d8bf7bf60f0e4ff",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.251",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.201",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.164",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.251",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.201",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.164",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.127",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.74",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.13",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.3",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_write_end_io()\n\nAs syzbot reported an use-after-free issue in f2fs_write_end_io().\n\nIt is caused by below race condition:\n\nloop device\t\t\t\tumount\n- worker_thread\n - loop_process_work\n  - do_req_filebacked\n   - lo_rw_aio\n    - lo_rw_aio_complete\n     - blk_mq_end_request\n      - blk_update_request\n       - f2fs_write_end_io\n        - dec_page_count\n        - folio_end_writeback\n\t\t\t\t\t- kill_f2fs_super\n\t\t\t\t\t - kill_block_super\n\t\t\t\t\t  - f2fs_put_super\n\t\t\t\t\t : free(sbi)\n       : get_pages(, F2FS_WB_CP_DATA)\n         accessed sbi which is freed\n\nIn kill_f2fs_super(), we will drop all page caches of f2fs inodes before\ncall free(sbi), it guarantee that all folios should end its writeback, so\nit should be safe to access sbi before last folio_end_writeback().\n\nLet\u0027s relocate ckpt thread wakeup flow before folio_end_writeback() to\nresolve this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T06:02:51.626Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0fb58aff0dafd6837cc91f4154f3ed6e020358fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9"
        },
        {
          "url": "https://git.kernel.org/stable/c/505e1c0530db6152cab3feef8e3e4da3d3e358c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/acc2c97fc0005846e5cf11b5ba3189fef130c9b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42"
        },
        {
          "url": "https://git.kernel.org/stable/c/995030be4ce6338c6ff814583c14166446a64008"
        },
        {
          "url": "https://git.kernel.org/stable/c/a42f99be8a16b32a0bb91bb6dda212a6ad61be5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce2739e482bce8d2c014d76c4531c877f382aa54"
        }
      ],
      "title": "f2fs: fix to avoid UAF in f2fs_write_end_io()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23234",
    "datePublished": "2026-03-04T14:36:38.843Z",
    "dateReserved": "2026-01-13T15:37:45.988Z",
    "dateUpdated": "2026-04-13T06:02:51.626Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.