Description
In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix out-of-bounds access in sysfs attribute read/write

Some f2fs sysfs attributes suffer from out-of-bounds memory access and
incorrect handling of integer values whose size is not 4 bytes.

For example:
vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out
vm:~# cat /sys/fs/f2fs/vde/carve_out
65537
vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold
vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold
1

carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit
integer. However, the sysfs interface allows setting it to a value
larger than 255, resulting in an out-of-range update.

atgc_age_threshold maps to {struct atgc_management}->age_threshold,
which is a 64-bit integer, but its sysfs interface cannot correctly set
values larger than UINT_MAX.

The root causes are:
1. __sbi_store() treats all default values as unsigned int, which
prevents updating integers larger than 4 bytes and causes out-of-bounds
writes for integers smaller than 4 bytes.

2. f2fs_sbi_show() also assumes all default values are unsigned int,
leading to out-of-bounds reads and incorrect access to integers larger
than 4 bytes.

This patch introduces {struct f2fs_attr}->size to record the actual size
of the integer associated with each sysfs attribute. With this
information, sysfs read and write operations can correctly access and
update values according to their real data size, avoiding memory
corruption and truncation.
Published: 2026-03-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption leading to potential local privilege escalation
Action: Apply Patch
AI Analysis

Impact

The f2fs filesystem exposes several sysfs attributes that control internal counters and thresholds. When an attribute is written with a numeric value larger than the underlying data type, the kernel performs a size‑agnostic update. This results in memory corruption: out‑of‑bounds writes for attributes smaller than four bytes and truncation or incorrect reads for larger values. Such corruption can corrupt kernel data structures, which may allow a local user to elevate privileges or cause system instability. The critical weakness is classified as CWE‑125, "Out‑of‑Bounds Read or Write."

Affected Systems

All Linux kernel installations that include the f2fs filesystem are potentially affected. The patch addresses the issue in the generic Linux kernel; no specific kernel revision is listed, so the vulnerability applies to any kernel version that has not yet incorporated the fix. Users should determine whether their system runs an affected kernel and apply the update if applicable.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity, mainly due to the memory corruption and privilege escalation risk. The EPSS score is less than 1 %, implying that, as of the last assessment, exploitation attempts are rare, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local: a user with write permission to /sys/fs/f2fs can supply overflowing values. An attacker may need only ordinary user privileges on the machine, but achieving higher privileges or a crash requires successful exploitation of the corrupted data. Given the moderate worth and low exploitation probability, systems should still address the issue promptly, as a local attack can be sufficient to undermine system integrity.

Generated by OpenCVE AI on April 15, 2026 at 15:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the f2fs out‑of‑bounds access fix.
  • If an update cannot be applied immediately, restrict write access to the f2fs sysfs attributes (e.g., chmod them to 0400 or set ownership to root).
  • Consider disabling the f2fs filesystem entirely if it is not required, or enable kernel hardening options such as SELinux, AppArmor, or grsecurity patches to reduce the attack surface.

Generated by OpenCVE AI on April 15, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4498-1 linux security update
Debian DLA Debian DLA DLA-4499-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6163-1 linux security update
Debian DSA Debian DSA DSA-6162-1 linux security update
History

Tue, 17 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Thu, 05 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/carve_out 65537 vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold 1 carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit integer. However, the sysfs interface allows setting it to a value larger than 255, resulting in an out-of-range update. atgc_age_threshold maps to {struct atgc_management}->age_threshold, which is a 64-bit integer, but its sysfs interface cannot correctly set values larger than UINT_MAX. The root causes are: 1. __sbi_store() treats all default values as unsigned int, which prevents updating integers larger than 4 bytes and causes out-of-bounds writes for integers smaller than 4 bytes. 2. f2fs_sbi_show() also assumes all default values are unsigned int, leading to out-of-bounds reads and incorrect access to integers larger than 4 bytes. This patch introduces {struct f2fs_attr}->size to record the actual size of the integer associated with each sysfs attribute. With this information, sysfs read and write operations can correctly access and update values according to their real data size, avoiding memory corruption and truncation.
Title f2fs: fix out-of-bounds access in sysfs attribute read/write
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:02:52.760Z

Reserved: 2026-01-13T15:37:45.988Z

Link: CVE-2026-23235

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T15:16:13.977

Modified: 2026-03-17T21:20:33.457

Link: CVE-2026-23235

cve-icon Redhat

Severity :

Publid Date: 2026-03-04T00:00:00Z

Links: CVE-2026-23235 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses