Skip to main content

Linux Kernel f2fs CVE-2026-53017

| EUVDEUVD-2026-38885 MEDIUM
2026-06-24 Linux GHSA-f2m7-5m7m-7g2c
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires precise concurrent timing between fsync and checkpoint (AC:H); local f2fs user access (PR:L); impact is permanent data loss mapped to availability (A:H), no confidentiality or unauthorized modification.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 16:17 vuln.today
CVSS changed
Jul 15, 2026 - 14:07 NVD
5.5 (MEDIUM)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:29 nvd
MEDIUM 5.5
CVE Published
Jun 24, 2026 - 16:29 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix data loss caused by incorrect use of nat_entry flag

Data loss can occur when fsync is performed on a newly created file (before any checkpoint has been written) concurrently with a checkpoint operation. The scenario is as follows:

create & write & fsync 'file A' write checkpoint

  • f2fs_do_sync_file // inline inode
  • f2fs_write_inode // inode folio is dirty
  • f2fs_write_checkpoint
  • f2fs_flush_merged_writes
  • f2fs_sync_node_pages
  • f2fs_flush_nat_entries
  • f2fs_fsync_node_pages // no dirty node
  • f2fs_need_inode_block_update // return false

SPO and lost 'file A'

f2fs_flush_nat_entries() sets the IS_CHECKPOINTED and HAS_LAST_FSYNC flags for the nat_entry, but this does not mean that the checkpoint has actually completed successfully. However, f2fs_need_inode_block_update() checks these flags and incorrectly assumes that the checkpoint has finished.

The root cause is that the semantics of IS_CHECKPOINTED and HAS_LAST_FSYNC are only guaranteed after the checkpoint write fully completes.

This patch modifies f2fs_need_inode_block_update() to acquire the sbi->node_write lock before reading the nat_entry flags, ensuring that once IS_CHECKPOINTED and HAS_LAST_FSYNC are observed to be set, the checkpoint operation has already completed.

AnalysisAI

Data loss in the Linux kernel's f2fs (Flash-Friendly File System) driver exposes files created and synced before any checkpoint has been written to permanent loss on sudden power off. The race condition between fsync on newly created files and concurrent checkpoint operations causes f2fs_need_inode_block_update() to misread prematurely set nat_entry flags (IS_CHECKPOINTED and HAS_LAST_FSYNC), leading fsync to skip the inode block flush it actually requires. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Local user creates file on f2fs volume
Delivery
Concurrent kernel checkpoint sets nat_entry flags prematurely
Exploit
fsync reads stale flags without node_write lock
Execution
fsync skips inode block flush
Persist
Data remains uncommitted to persistent storage
Impact
Sudden power loss causes permanent file loss

Vulnerability AssessmentAI

Exploitation f2fs must be the active filesystem on the affected storage volume - systems using ext4, XFS, btrfs, or any other filesystem are entirely unaffected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H rates this as Medium (5.5), but the AC:L assignment warrants scrutiny: this is a race condition requiring specific concurrent timing between fsync and checkpoint operations, which conventionally maps to AC:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a Linux system using f2fs-formatted storage creates a new file, writes data, and calls fsync while the kernel concurrently executes a checkpoint operation. The race causes fsync to skip flushing the inode block based on prematurely set nat_entry flags; if the system then experiences a sudden power loss or kernel panic, the file and all its written data are permanently lost with no recovery path from the filesystem journal.
Remediation Upgrade to Linux kernel 7.1 or 7.0.10, which contain the upstream fix per EUVD affected version data; the authoritative fix commits are at https://git.kernel.org/stable/c/238e14eb7226f883b72caccd2d37bf5707df066b and https://git.kernel.org/stable/c/20cedb4d9f6b230d0ee469690b8f868f06a07c29. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

Share

CVE-2026-53017 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy