CVE-2026-46194
Received Received - Intake
Race Condition in Linux Kernel F2FS Extent Node Handling

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46194
EUVD
EUVD-2026-32821
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel f2fs *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's f2fs filesystem, specifically involving a race condition between destroying extent nodes and concurrent writeback operations.

The function f2fs_destroy_extent_node() does not set a flag (FI_NO_EXTENT) before clearing extent nodes. When this function is called from f2fs_drop_inode() with the I_SYNC flag set, a concurrent kernel worker performing writeback can insert new extent nodes into the same extent tree. This causes a race condition that triggers a kernel bug check (f2fs_bug_on()) because the node count is unexpectedly greater than zero during destruction.

Additionally, the function __update_extent_tree_range() only checks the FI_NO_EXTENT flag for one type of extent update (EX_READ), leaving another type (EX_BLOCK_AGE) unprotected, which can also contribute to the issue.

The fix involves setting the FI_NO_EXTENT flag properly under a lock during extent node destruction and ensuring the flag is checked for both EX_READ and EX_BLOCK_AGE updates to prevent this race condition.


How can this vulnerability impact me? :

This vulnerability can cause a race condition in the f2fs filesystem leading to a kernel bug check (f2fs_bug_on()), which may result in system instability or crashes.

Such instability can lead to data loss or corruption, especially in systems relying on the f2fs filesystem for storage.

Because the issue occurs during inode drop and writeback operations, it may affect system reliability and availability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by a patch in the Linux kernel that fixes a race condition in the f2fs filesystem code related to extent node destruction and writeback.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

No specific workaround or configuration change is described in the provided information.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart