CVE-2026-23234
f2fs: fix to avoid UAF in f2fs_write_end_io()
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount
- worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed In kill_f2fs_super(), we will drop all page caches of f2fs inodes before
call free(sbi), it guarantee that all folios should end its writeback, so
it should be safe to access sbi before last folio_end_writeback(). Let's relocate ckpt thread wakeup flow before folio_end_writeback() to
resolve this issue.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2026-01-13 CVE Reserved
- 2026-03-04 CVE Published
- 2026-04-13 CVE Updated
- 2026-04-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/e234088758fca3a669ebb1a02d8bf7bf60f0e4ff | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 5.10.251 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 5.10.251" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 5.15.201 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 5.15.201" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 6.1.164 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.1.164" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 6.6.127 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.6.127" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 6.12.74 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.12.74" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 6.18.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.18.13" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 6.19.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 6.19.3" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 3.13 < 7.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 3.13 < 7.0" | en |
Affected
| ||||||