CVE-2026-31702 - Vulnerability Details

- f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()

Description

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()

In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring
the F2FS_WB_CP_DATA counter to zero, unblocking
f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount
CPU. The unmount path then proceeds to call
f2fs_destroy_page_array_cache(sbi), which destroys
sbi->page_array_slab via kmem_cache_destroy(), and eventually
kfree(sbi). Meanwhile, the bio completion callback is still executing:
when it reaches page_array_free(sbi, ...), it dereferences
sbi->page_array_slab — a destroyed slab cache — to call
kmem_cache_free(), causing a use-after-free.

This is the same class of bug as CVE-2026-23234 (which fixed the
equivalent race in f2fs_write_end_io() in data.c), but in the
compressed writeback completion path that was not covered by that fix.

Fix this by moving dec_page_count() to after page_array_free(), so
that all sbi accesses complete before the counter decrement that can
unblock unmount. For non-last folios (where atomic_dec_return on
cic->pending_pages is nonzero), dec_page_count is called immediately
before returning — page_array_free is not reached on this path, so
there is no post-decrement sbi access. For the last folio,
page_array_free runs while the F2FS_WB_CP_DATA counter is still
nonzero (this folio has not yet decremented it), keeping sbi alive,
and dec_page_count runs as the final operation.

Published: 2026-05-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in the f2fs filesystem allows a use‑after‑free of the superblock information (sbi) structure during the completion of compressed writeback operations. The bug occurs when the write‑back path decrements a counter that can unblock an unmount, which in turn frees the sbi before the write‑back callback finishes. The callback then accesses freed memory. This memory corruption can lead to unpredictable kernel behavior, crashes, or, if an attacker can trigger the scenario, arbitrary code execution in kernel mode. The vulnerability is specific to the f2fs_compress_write_end_io() routine and is similar to a previously fixed race in f2fs_write_end_io(). Based on the description, it is inferred that the race can be induced by coordinating writeback and unmount operations, which may require local access.

Affected Systems

All Linux kernel releases that contain f2fs before the patch that moves the dec_page_count() call after page_array_free(). The affected code path is part of the f2fs filesystem layer and affects all systems using compiled‑in or dynamically loaded f2fs modules.

Risk and Exploitability

No CVSS score or EPSS information is published for this vulnerability, and it is not listed in the CISA KEV catalog. The attack requires a local context that can exploit a race between compressed writeback and filesystem unmounts; it is therefore not publicly exploitable in a remote scenario. However, the use‑after‑free could allow privilege escalation to root or cause denial of service if an attacker can arrange the conditions. Based on the description, the vulnerability likely requires local execution privileges and is not a feasible remote attack vector. The overall risk is considered moderate to high for environments that rely on f2fs and perform unmounts while writeback is active.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`4c8ff7095bef64fc47e996a938f7d57f9e077da3`	affected	< ef57cd3329b40c739b9a2e1a8a21ecc4171c6280
`4c8ff7095bef64fc47e996a938f7d57f9e077da3`	affected	< f5154cf3ce1c8193f0c1891d3769f62740cfe6fe
`4c8ff7095bef64fc47e996a938f7d57f9e077da3`	affected	< c76cf339b87975ae5b2c06d2d774d5667d25a12a
`4c8ff7095bef64fc47e996a938f7d57f9e077da3`	affected	< 2c97dcb6147c8f7f25c629b93be1e69617de5d4a
`4c8ff7095bef64fc47e996a938f7d57f9e077da3`	affected	< 39d4ee19c1e7d753dd655aebee632271b171f43a

Linux

affected

Version	Status	Constraints
`5.6`	affected	—
`0`	unaffected	< 5.6
`6.6.136`	unaffected	≤ 6.6.*
`6.12.84`	unaffected	≤ 6.12.*
`6.18.25`	unaffected	≤ 6.18.*
`7.0.2`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[4c8ff7095bef64fc47e996a938f7d57f9e077da3,ef57cd3329b40c739b9a2e1a8a21ecc4171c6280)`	affected	code_commit	—
`[4c8ff7095bef64fc47e996a938f7d57f9e077da3,f5154cf3ce1c8193f0c1891d3769f62740cfe6fe)`	affected	code_commit	—
`[4c8ff7095bef64fc47e996a938f7d57f9e077da3,c76cf339b87975ae5b2c06d2d774d5667d25a12a)`	affected	code_commit	—
`[4c8ff7095bef64fc47e996a938f7d57f9e077da3,2c97dcb6147c8f7f25c629b93be1e69617de5d4a)`	affected	code_commit	—
`[4c8ff7095bef64fc47e996a938f7d57f9e077da3,39d4ee19c1e7d753dd655aebee632271b171f43a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.6`	affected	generic	—
`[0,5.6)`	unaffected	generic	—
`[6.6.136,6.7.0)`	unaffected	semver	—
`[6.12.84,6.13.0)`	unaffected	semver	—
`[6.18.25,6.19.0)`	unaffected	semver	—
`[7.0.2,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix for f2fs_compress_write_end_io()
Before unmounting an f2fs filesystem, run a sync or fsync to ensure all pending writes are completed
If a patch is unavailable, avoid unmounting while the filesystem is actively performing compressed writeback; consider disabling compressed writes if possible

Generated by OpenCVE AI on May 2, 2026 at 07:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a
https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a
https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a
https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280
https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe
https://lore.kernel.org/linux-cve-announce/2026050120-CVE-2026-31702-4062@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31702
https://www.cve.org/CVERecord?id=CVE-2026-31702

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050120-CVE-2026-31702-4062@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31702 https://www.cve.org/CVERecord?id=CVE-2026-31702

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount CPU. The unmount path then proceeds to call f2fs_destroy_page_array_cache(sbi), which destroys sbi->page_array_slab via kmem_cache_destroy(), and eventually kfree(sbi). Meanwhile, the bio completion callback is still executing: when it reaches page_array_free(sbi, ...), it dereferences sbi->page_array_slab — a destroyed slab cache — to call kmem_cache_free(), causing a use-after-free. This is the same class of bug as CVE-2026-23234 (which fixed the equivalent race in f2fs_write_end_io() in data.c), but in the compressed writeback completion path that was not covered by that fix. Fix this by moving dec_page_count() to after page_array_free(), so that all sbi accesses complete before the counter decrement that can unblock unmount. For non-last folios (where atomic_dec_return on cic->pending_pages is nonzero), dec_page_count is called immediately before returning — page_array_free is not reached on this path, so there is no post-decrement sbi access. For the last folio, page_array_free runs while the F2FS_WB_CP_DATA counter is still nonzero (this folio has not yet decremented it), keeping sbi alive, and dec_page_count runs as the final operation.
Title		f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280 https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T13:56:01.601Z

Updated: 2026-05-01T13:56:01.601Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31702

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:20.140

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31702

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31702 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T07:45:37Z

Weaknesses

CWE-825

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object