Description
In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()

In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring
the F2FS_WB_CP_DATA counter to zero, unblocking
f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount
CPU. The unmount path then proceeds to call
f2fs_destroy_page_array_cache(sbi), which destroys
sbi->page_array_slab via kmem_cache_destroy(), and eventually
kfree(sbi). Meanwhile, the bio completion callback is still executing:
when it reaches page_array_free(sbi, ...), it dereferences
sbi->page_array_slab — a destroyed slab cache — to call
kmem_cache_free(), causing a use-after-free.

This is the same class of bug as CVE-2026-23234 (which fixed the
equivalent race in f2fs_write_end_io() in data.c), but in the
compressed writeback completion path that was not covered by that fix.

Fix this by moving dec_page_count() to after page_array_free(), so
that all sbi accesses complete before the counter decrement that can
unblock unmount. For non-last folios (where atomic_dec_return on
cic->pending_pages is nonzero), dec_page_count is called immediately
before returning — page_array_free is not reached on this path, so
there is no post-decrement sbi access. For the last folio,
page_array_free runs while the F2FS_WB_CP_DATA counter is still
nonzero (this folio has not yet decremented it), keeping sbi alive,
and dec_page_count runs as the final operation.
Published: 2026-05-01
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the f2fs filesystem allows a use‑after‑free of the superblock information (sbi) structure during the completion of compressed writeback operations. The bug occurs when the write‑back path decrements a counter that can unblock an unmount, which in turn frees the sbi before the write‑back callback finishes. The callback then accesses freed memory. This memory corruption can lead to unpredictable kernel behavior, crashes, or, if an attacker can trigger the scenario, arbitrary code execution in kernel mode. The vulnerability is specific to the f2fs_compress_write_end_io() routine and is similar to a previously fixed race in f2fs_write_end_io(). Based on the description, it is inferred that the race can be induced by coordinating writeback and unmount operations, which may require local access.

Affected Systems

All Linux kernel releases that contain f2fs before the patch that moves the dec_page_count() call after page_array_free(). The affected code path is part of the f2fs filesystem layer and affects all systems using compiled‑in or dynamically loaded f2fs modules.

Risk and Exploitability

The CVSS Score of 7.8 indicates high severity, while the EPSS score is <1%, implying a very low probability of exploitation. The CWE identifiers for this vulnerability are 416 (Use After Free) and 825 (Uncontrolled Memory Reference). The vulnerability is not listed in the CISA KEV catalog. The attack requires local context that can exploit a race between compressed writeback and unmount; therefore it is not publicly exploitable in a remote scenario. However, the use‑after‑free could allow privilege escalation to root or cause denial of service if the conditions can be arranged. Based on the description, it likely requires local execution privileges and is not a feasible remote attack vector. The overall risk is considered moderate to high for environments that rely on f2fs and perform unmounts while writeback is active.

Generated by OpenCVE AI on May 6, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes the fix for f2fs_compress_write_end_io()
  • Before unmounting an f2fs filesystem, run a sync or fsync to ensure all pending writes are completed
  • If a patch is unavailable, avoid unmounting while the filesystem is actively performing compressed writeback; consider disabling compressed writes if possible

Generated by OpenCVE AI on May 6, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Fri, 01 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount CPU. The unmount path then proceeds to call f2fs_destroy_page_array_cache(sbi), which destroys sbi->page_array_slab via kmem_cache_destroy(), and eventually kfree(sbi). Meanwhile, the bio completion callback is still executing: when it reaches page_array_free(sbi, ...), it dereferences sbi->page_array_slab — a destroyed slab cache — to call kmem_cache_free(), causing a use-after-free. This is the same class of bug as CVE-2026-23234 (which fixed the equivalent race in f2fs_write_end_io() in data.c), but in the compressed writeback completion path that was not covered by that fix. Fix this by moving dec_page_count() to after page_array_free(), so that all sbi accesses complete before the counter decrement that can unblock unmount. For non-last folios (where atomic_dec_return on cic->pending_pages is nonzero), dec_page_count is called immediately before returning — page_array_free is not reached on this path, so there is no post-decrement sbi access. For the last folio, page_array_free runs while the F2FS_WB_CP_DATA counter is still nonzero (this folio has not yet decremented it), keeping sbi alive, and dec_page_count runs as the final operation.
Title f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:14:06.234Z

Reserved: 2026-03-09T15:48:24.132Z

Link: CVE-2026-31702

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T14:16:20.140

Modified: 2026-05-06T18:44:52.290

Link: CVE-2026-31702

cve-icon Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31702 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T19:30:10Z

Weaknesses