CVE-2026-31715 - Vulnerability Details

- f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()

Description

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()

The xfstests case "generic/107" and syzbot have both reported a NULL
pointer dereference.

The concurrent scenario that triggers the panic is as follows:

F2FS_WB_CP_DATA write callback umount
- f2fs_write_checkpoint
- f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)
- blk_mq_end_request
- bio_endio
- f2fs_write_end_io
: dec_page_count(sbi, F2FS_WB_CP_DATA)
: wake_up(&sbi->cp_wait)
- kill_f2fs_super
- kill_block_super
- f2fs_put_super
: iput(sbi->node_inode)
: sbi->node_inode = NULL
: f2fs_in_warm_node_list
- is_node_folio // sbi->node_inode is NULL and panic

The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and
sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is
decremented to zero. As a result, f2fs_in_warm_node_list() may
dereference a NULL node_inode when checking whether a folio belongs to
the node inode, leading to a panic.

This patch fixes the issue by calling f2fs_in_warm_node_list() before
decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the
use-after-free condition.

Published: 2026-05-01

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free error occurs in the Linux f2fs file system when the superblock’s page counter is decremented during the write end I/O callback while the file system is unmounting. The bug causes the kernel to dereference the node inode after it has been cleared to NULL, resulting in a NULL pointer dereference that triggers a kernel panic. This produces a complete denial of service on the affected system. Based on the description of the unmount operation, it is inferred that a user with permission to unmount the filesystem would need to trigger the race condition.

Affected Systems

All Linux kernel releases that contain the unpatched f2fs logic before the 2026‑31715 fix. No specific version range is supplied, so any kernel offering f2fs and including the legacy write‑end‑io counter decrement is potentially vulnerable.

Risk and Exploitability

The vulnerability is a local use‑after‑free that, by inference, requires a privileged user capable of initiating an unmount of an active f2fs volume. Exploitation would need local access to the device and the ability to perform the unmount sequence, limiting its practicality. No public exploits are known and it is not listed in the CISA KEV catalog. Because the flaw can halt the system, the impact remains severe, especially on critical servers that cannot tolerate downtime.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`50fa53eccf9f911a5b435248a2b0bd484fd82e5e`	affected	< 963d2e24d9d92a31e6773b0f642214f10013ebf7
`50fa53eccf9f911a5b435248a2b0bd484fd82e5e`	affected	< 188bb65f247a7a7c62f287c9a263aee3cad96fa5
`50fa53eccf9f911a5b435248a2b0bd484fd82e5e`	affected	< 2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53

Linux

affected

Version	Status	Constraints
`4.19`	affected	—
`0`	unaffected	< 4.19
`6.18.25`	unaffected	≤ 6.18.*
`7.0.2`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[50fa53eccf9f911a5b435248a2b0bd484fd82e5e,963d2e24d9d92a31e6773b0f642214f10013ebf7)`	affected	code_commit	—
`[50fa53eccf9f911a5b435248a2b0bd484fd82e5e,188bb65f247a7a7c62f287c9a263aee3cad96fa5)`	affected	code_commit	—
`[50fa53eccf9f911a5b435248a2b0bd484fd82e5e,2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.19`	affected	semver	—
`[0,4.19)`	unaffected	semver	—
`[6.18.25,6.19.0)`	unaffected	semver	—
`[7.0.2,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream kernel patch that removes the race condition in f2fs_write_end_io() and upgrade the system to the latest stable Linux kernel release.
If an immediate kernel upgrade is not feasible, remount affected F2FS volumes as read‑only to eliminate the race condition and schedule a maintenance window to apply the patch.
Configure the system to avoid triggering unmounts during ongoing writes to F2FS volumes, for example by disabling hot‑unplug procedures or by enforcing a sync before unmount.

Generated by OpenCVE AI on May 2, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5
https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53
https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7
https://lore.kernel.org/linux-cve-announce/2026050123-CVE-2026-31715-891c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31715
https://www.cve.org/CVERecord?id=CVE-2026-31715

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050123-CVE-2026-31715-891c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31715 https://www.cve.org/CVERecord?id=CVE-2026-31715

Fri, 01 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io() The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference. The concurrent scenario that triggers the panic is as follows: F2FS_WB_CP_DATA write callback umount - f2fs_write_checkpoint - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA) - blk_mq_end_request - bio_endio - f2fs_write_end_io : dec_page_count(sbi, F2FS_WB_CP_DATA) : wake_up(&sbi->cp_wait) - kill_f2fs_super - kill_block_super - f2fs_put_super : iput(sbi->node_inode) : sbi->node_inode = NULL : f2fs_in_warm_node_list - is_node_folio // sbi->node_inode is NULL and panic The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is decremented to zero. As a result, f2fs_in_warm_node_list() may dereference a NULL node_inode when checking whether a folio belongs to the node inode, leading to a panic. This patch fixes the issue by calling f2fs_in_warm_node_list() before decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the use-after-free condition.
Title		f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5 https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53 https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T13:56:10.591Z

Updated: 2026-05-01T13:56:10.591Z

Reserved: 2026-03-09T15:48:24.133Z

Link: CVE-2026-31715

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T14:16:21.637

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-31715

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-31715 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T12:30:27Z

Weaknesses

CWE-825

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object