CVE-2026-23267

f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes During SPO tests, when mounting F2FS, an -EINVAL error was returned from
f2fs_recover_inode_page. The issue occurred under the following scenario Thread A Thread B
f2fs_ioc_commit_atomic_write - f2fs_do_sync_file // atomic = true - f2fs_fsync_node_pages : last_folio = inode folio : schedule before folio_lock(last_folio) f2fs_write_checkpoint - block_operations// writeback last_folio - schedule before f2fs_flush_nat_entries : set_fsync_mark(last_folio, 1) : set_dentry_mark(last_folio, 1) : folio_mark_dirty(last_folio) - __write_node_folio(last_folio) : f2fs_down_read(&sbi->node_write)//block - f2fs_flush_nat_entries : {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED) - unblock_operations : f2fs_up_write(&sbi->node_write) f2fs_write_checkpoint//return : f2fs_do_write_node_page()
f2fs_ioc_commit_atomic_write//return SPO Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has
already been written once. However, the {struct nat_entry}->flag did not
have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and
write last_folio again after Thread B finishes f2fs_write_checkpoint. After SPO and reboot, it was detected that {struct node_info}->blk_addr
was not NULL_ADDR because Thread B successfully write the checkpoint. This issue only occurs in atomic write scenarios. For regular file
fsync operations, the folio must be dirty. If
block_operations->f2fs_sync_node_pages successfully submit the folio
write, this path will not be executed. Otherwise, the
f2fs_write_checkpoint will need to wait for the folio write submission
to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the
situation where f2fs_need_dentry_mark checks that the {struct
nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has
already been submitted, will not occur. Therefore, for atomic file fsync, sbi->node_write should be acquired
through __write_node_folio to ensure that the IS_CHECKPOINTED flag
correctly indicates that the checkpoint write has been completed.

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: f2fs: corrige el problema de inconsistencia del flag IS_CHECKPOINTED causado por escrituras concurrentes de commit atómico y checkpoint Durante las pruebas SPO, al montar F2FS, se devolvió un error -EINVAL desde
f2fs_recover_inode_page. El problema ocurrió bajo el siguiente escenario Hilo A Hilo B
f2fs_ioc_commit_atomic_write - f2fs_do_sync_file // atómico = true - f2fs_fsync_node_pages : last_folio = inode folio : schedule before folio_lock(last_folio) f2fs_write_checkpoint - block_operations// writeback last_folio - schedule before f2fs_flush_nat_entries : set_fsync_mark(last_folio, 1) : set_dentry_mark(last_folio, 1) : folio_mark_dirty(last_folio) - __write_node_folio(last_folio) : f2fs_down_read(&sbi->node_write)//bloquea - f2fs_flush_nat_entries : {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED) - unblock_operations : f2fs_up_write(&sbi->node_write) f2fs_write_checkpoint//retorna : f2fs_do_write_node_page()
f2fs_ioc_commit_atomic_write//retorna SPO El Hilo A llama a f2fs_need_dentry_mark(sbi, ino), y el last_folio ya ha
sido escrito una vez. Sin embargo, el {struct nat_entry}->flag no tenía
el IS_CHECKPOINTED establecido, causando que set_dentry_mark(last_folio, 1) y
se escriba last_folio de nuevo después de que el Hilo B termine f2fs_write_checkpoint. Después de SPO y el reinicio, se detectó que {struct node_info}->blk_addr
no era NULL_ADDR porque el Hilo B escribió exitosamente el checkpoint. Este problema solo ocurre en escenarios de escritura atómica. Para operaciones
fsync de archivos regulares, el folio debe estar sucio. Si
block_operations->f2fs_sync_node_pages envía exitosamente la escritura del folio,
esta ruta no se ejecutará. De lo contrario, f2fs_write_checkpoint deberá esperar
a que se complete el envío de la escritura del folio, ya que
sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Por lo tanto, la situación en la que
f2fs_need_dentry_mark verifica que el {struct nat_entry}->flag sin el flag
IS_CHECKPOINTED, pero la escritura del folio ya ha sido enviada, no ocurrirá. Por lo tanto, para fsync de archivos atómicos, sbi->node_write debe adquirirse
a través de __write_node_folio para asegurar que el flag IS_CHECKPOINTED
indique correctamente que la escritura del checkpoint ha sido completada.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2026-01-13 CVE Reserved
2026-03-18 CVE Published
2026-04-19 EPSS Updated
2026-05-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (7)

URL	Tag	Source
https://git.kernel.org/stable/c/608514deba38c8611ad330d6a3c8e2b9a1f68e4b	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d	2026-02-19
https://git.kernel.org/stable/c/75e19da068adf0dc5dd269dd157392434b9117d4	2026-02-19
https://git.kernel.org/stable/c/962c167b0f262b9962207fbeaa531721d55ea00e	2026-02-19
https://git.kernel.org/stable/c/bd66b4c487d5091d2a65d6089e0de36f0c26a4c7	2026-02-19
https://git.kernel.org/stable/c/ed81bc5885460905f9160e7b463e5708fd056324	2026-02-19
https://git.kernel.org/stable/c/7633a7387eb4d0259d6bea945e1d3469cd135bbc	2026-01-07

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.7 < 6.1.164 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.7 < 6.1.164"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.7 < 6.6.127 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.7 < 6.6.127"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.7 < 6.12.74 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.7 < 6.12.74"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.7 < 6.18.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.7 < 6.18.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.7 < 6.19.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.7 < 6.19.3"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.7 < 7.0 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.7 < 7.0"		en		Affected