CVE-2026-31702

EPSS 0.01%
Veröffentlicht 01.05.2026 14:16:20
Zuletzt bearbeitet 06.05.2026 18:44:52
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()

In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring
the F2FS_WB_CP_DATA counter to zero, unblocking
f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount
CPU. The unmount path then proceeds to call
f2fs_destroy_page_array_cache(sbi), which destroys
sbi->page_array_slab via kmem_cache_destroy(), and eventually
kfree(sbi). Meanwhile, the bio completion callback is still executing:
when it reaches page_array_free(sbi, ...), it dereferences
sbi->page_array_slab — a destroyed slab cache — to call
kmem_cache_free(), causing a use-after-free.

This is the same class of bug as CVE-2026-23234 (which fixed the
equivalent race in f2fs_write_end_io() in data.c), but in the
compressed writeback completion path that was not covered by that fix.

Fix this by moving dec_page_count() to after page_array_free(), so
that all sbi accesses complete before the counter decrement that can
unblock unmount. For non-last folios (where atomic_dec_return on
cic->pending_pages is nonzero), dec_page_count is called immediately
before returning — page_array_free is not reached on this path, so
there is no post-decrement sbi access. For the last folio,
page_array_free runs while the F2FS_WB_CP_DATA counter is still
nonzero (this folio has not yet decremented it), keeping sbi alive,
and dec_page_count runs as the final operation.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

NVD 6 VulnDex Vulnerability Enrichment 14

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 5.6 < 6.6.136

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.84

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.25

Linux ≫ Linux Kernel Version >= 6.19 < 7.0.2

Linux ≫ Linux Kernel Version7.1 Updaterc1

Linux ≫ Linux Kernel Version7.1 Updaterc2

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.024

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a

Patch

https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a

Patch

https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a

Patch

https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280

Patch

https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-31702

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31702

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31702

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31702