Skip to main content

Checkpoint EUVDEUVD-2026-12908

| CVE-2026-23267 MEDIUM
2026-03-18 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 29, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 18:00 euvd
EUVD-2026-12908
Analysis Generated
Mar 18, 2026 - 18:00 vuln.today
CVE Published
Mar 18, 2026 - 17:46 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes

During SPO tests, when mounting F2FS, an -EINVAL error was returned from f2fs_recover_inode_page. The issue occurred under the following scenario

Thread A Thread B f2fs_ioc_commit_atomic_write

  • f2fs_do_sync_file // atomic = true
  • f2fs_fsync_node_pages

: last_folio = inode folio : schedule before folio_lock(last_folio) f2fs_write_checkpoint

  • block_operations// writeback last_folio
  • schedule before f2fs_flush_nat_entries

: set_fsync_mark(last_folio, 1) : set_dentry_mark(last_folio, 1) : folio_mark_dirty(last_folio)

  • __write_node_folio(last_folio)

: f2fs_down_read(&sbi->node_write)//block

  • f2fs_flush_nat_entries

: {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED)

  • unblock_operations

: f2fs_up_write(&sbi->node_write) f2fs_write_checkpoint//return : f2fs_do_write_node_page() f2fs_ioc_commit_atomic_write//return SPO

Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has already been written once. However, the {struct nat_entry}->flag did not have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and write last_folio again after Thread B finishes f2fs_write_checkpoint.

After SPO and reboot, it was detected that {struct node_info}->blk_addr was not NULL_ADDR because Thread B successfully write the checkpoint.

This issue only occurs in atomic write scenarios. For regular file fsync operations, the folio must be dirty. If block_operations->f2fs_sync_node_pages successfully submit the folio write, this path will not be executed. Otherwise, the f2fs_write_checkpoint will need to wait for the folio write submission to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the situation where f2fs_need_dentry_mark checks that the {struct nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has already been submitted, will not occur.

Therefore, for atomic file fsync, sbi->node_write should be acquired through __write_node_folio to ensure that the IS_CHECKPOINTED flag correctly indicates that the checkpoint write has been completed.

AnalysisAI

This vulnerability is a race condition in the Linux kernel's F2FS file system that causes flag inconsistency between concurrent atomic commit and checkpoint write operations. The issue affects all Linux kernel versions with F2FS support (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), allowing information disclosure through incorrect inode state recovery after sudden power-off (SPO) scenarios. An attacker with local file system access during atomic write operations could trigger the race condition, leading to potential data inconsistency and information leakage when the system recovers.

Technical ContextAI

The vulnerability exists in the F2FS (Flash-Friendly File System) implementation within the Linux kernel. F2FS is a log-structured file system optimized for NAND flash memory. The root cause is a synchronization issue in the IS_CHECKPOINTED flag management within the nat_entry structure during concurrent execution of f2fs_ioc_commit_atomic_write and f2fs_write_checkpoint functions. The race condition occurs when Thread A performs atomic file fsync operations while Thread B executes checkpoint writes, causing the IS_CHECKPOINTED flag to not be properly set before the folio (page) write is submitted. This violates the expected invariant that the flag state accurately reflects checkpoint completion status. The affected product is the Linux kernel with F2FS support (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), and the root cause relates to improper synchronization primitives (similar to CWE-367: Time-of-check Time-of-use Race Condition) in the node write locking mechanism.

RemediationAI

Update the Linux kernel to a version that includes the fix commits from the stable branches (verify specific version numbers via kernel.org and your distribution's advisory pages). The fix involves acquiring the sbi->node_write lock during atomic file fsync operations in __write_node_folio to ensure proper synchronization of the IS_CHECKPOINTED flag with actual checkpoint completion. For systems unable to immediately patch, implement workarounds by disabling atomic write operations if possible (though this may impact application performance), ensuring adequate battery backup or UPS protection to minimize sudden power-off scenarios during checkpoint windows, and scheduling checkpoint operations during low system load periods. Systems using F2FS on SSDs or other devices should prioritize patching as atomic writes are commonly used by database systems and transaction-based applications. Refer to the stable kernel commits at https://git.kernel.org/stable for patch details and deployment guidance.

CVE-2017-1000083 HIGH POC
7.8 Sep 05

backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e

CVE-2024-3568 CRITICAL POC
9.6 Apr 10

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data

CVE-2026-24747 HIGH POC
8.8 Jan 27

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

CVE-2022-41604 HIGH POC
8.8 Sep 27

Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever

CVE-2024-24919 HIGH POC
8.6 May 28

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte

CVE-2026-58659 HIGH POC
8.4 Jul 15

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che

CVE-2019-8461 HIGH POC
7.8 Aug 29

Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo

CVE-2019-8452 HIGH POC
7.8 Apr 22

A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien

CVE-2013-7350 CRITICAL
10.0 Apr 01

Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef

CVE-2026-31214 CRITICAL
9.8 May 12

Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec

CVE-2019-8459 CRITICAL
9.8 Jun 20

Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us

CVE-2026-31222 HIGH
8.8 May 12

Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm fixed 6.1.164-1 -
bookworm (security) fixed 6.1.164-1 -
trixie fixed 6.12.74-1 -
trixie (security) fixed 6.12.74-2 -
forky fixed 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.18.13-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-12908 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy