CVE-2026-31702
Received Received - Intake
Use-After-Free in Linux Kernel F2FS

Publication date: 2026-05-01

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount CPU. The unmount path then proceeds to call f2fs_destroy_page_array_cache(sbi), which destroys sbi->page_array_slab via kmem_cache_destroy(), and eventually kfree(sbi). Meanwhile, the bio completion callback is still executing: when it reaches page_array_free(sbi, ...), it dereferences sbi->page_array_slab β€” a destroyed slab cache β€” to call kmem_cache_free(), causing a use-after-free. This is the same class of bug as CVE-2026-23234 (which fixed the equivalent race in f2fs_write_end_io() in data.c), but in the compressed writeback completion path that was not covered by that fix. Fix this by moving dec_page_count() to after page_array_free(), so that all sbi accesses complete before the counter decrement that can unblock unmount. For non-last folios (where atomic_dec_return on cic->pending_pages is nonzero), dec_page_count is called immediately before returning β€” page_array_free is not reached on this path, so there is no post-decrement sbi access. For the last folio, page_array_free runs while the F2FS_WB_CP_DATA counter is still nonzero (this folio has not yet decremented it), keeping sbi alive, and dec_page_count runs as the final operation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-01
EPSS Evaluated
2026-05-05
NVD
CVE-2026-31702
EUVD
EUVD-2026-26511
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.84 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.13 (inc) to 6.18.25 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.2 (exc)
linux linux_kernel From 5.6 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the kernel, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Because it involves memory being accessed after it has been freed, it could be exploited to corrupt memory or escalate privileges, impacting system security and reliability.


What immediate steps should I take to mitigate this vulnerability?

This vulnerability is resolved by a fix in the Linux kernel that changes the order of operations in the f2fs_compress_write_end_io() function to prevent use-after-free conditions.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix for the f2fs filesystem.


Can you explain this vulnerability to me?

This vulnerability is a use-after-free bug in the Linux kernel's F2FS filesystem, specifically in the function f2fs_compress_write_end_io().

The issue occurs because a counter (F2FS_WB_CP_DATA) can reach zero during a concurrent unmount operation, which unblocks the unmount process. The unmount then destroys a memory cache (page_array_slab) and frees the associated structure (sbi). However, a bio completion callback is still running and tries to access this now freed memory, causing a use-after-free error.

The fix involves reordering operations so that the decrement of the counter happens only after the memory is no longer accessed, preventing the use-after-free condition.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart