Description
In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix node_cnt race between extent node destroy and writeback

f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing
extent nodes. When called from f2fs_drop_inode() with I_SYNC set,
concurrent kworker writeback can insert new extent nodes into the same
extent tree, racing with the destroy and triggering f2fs_bug_on() in
__destroy_extent_node(). The scenario is as follows:

drop inode writeback
- iput
- f2fs_drop_inode // I_SYNC set
- f2fs_destroy_extent_node
- __destroy_extent_node
- while (node_cnt) {
write_lock(&et->lock)
__free_extent_tree
write_unlock(&et->lock)
- __writeback_single_inode
- f2fs_outplace_write_data
- f2fs_update_read_extent_cache
- __update_extent_tree_range
// FI_NO_EXTENT not set,
// insert new extent node
} // node_cnt == 0, exit while
- f2fs_bug_on(node_cnt) // node_cnt > 0

Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for
EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.

This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),
consistent with other callers (__update_extent_tree_range and
__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and
EX_BLOCK_AGE tree.
Published: 2026-05-28
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition between extent node destruction and writeback in the Linux f2fs file system can leave the internal counter node_cnt non‑zero while an extent node is destroyed. The f2fs_bug_on assertion is then triggered inside __destroy_extent_node(), causing a kernel panic and a complete loss of availability for the affected machine. The flaw is a consistency error that manifests only during concurrent file system activity and does not allow direct data exfiltration.

Affected Systems

All Linux kernels that ship the f2fs driver and have not yet incorporated the commit adding the FI_NO_EXTENT guard are potentially vulnerable. The patch series referenced by commit identifiers 0559a0e962aacbb47519e26ee663be04b72dcb92 and related changes address this flaw. Users should verify that their kernel version contains those commits or a later revision.

Risk and Exploitability

Exploitation requires a local attacker who can initiate filesystem operations that drop an inode while a background writeback thread is running. The race condition depends on precise timing, making the attack vector difficult to predict. The EPSS score is less than 1%, indicating a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is local file system activity, although the exact attacker model is not explicitly stated in the input.

Generated by OpenCVE AI on June 10, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided kernel update that introduces FI_NO_EXTENT synchronization to resolve the race condition (CWE-367).
  • Reboot the system to load the updated kernel and f2fs module, ensuring the new guards are active.
  • If f2fs usage is unnecessary, unmount or disable the filesystem to eliminate the vulnerability surface.

Generated by OpenCVE AI on June 10, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 29 May 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References

Thu, 28 May 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.
Title f2fs: fix node_cnt race between extent node destroy and writeback
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T18:01:43.896Z

Reserved: 2026-05-13T15:03:33.104Z

Link: CVE-2026-46194

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T10:16:35.033

Modified: 2026-06-10T19:19:50.537

Link: CVE-2026-46194

cve-icon Redhat

Severity :

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46194 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:30:28Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition