Skip to main content

Linux Kernel EUVDEUVD-2026-26511

| CVE-2026-31702 HIGH
Use After Free (CWE-416)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 06, 2026 - 21:00 vuln.today
CVSS changed
May 06, 2026 - 18:52 NVD
7.8 (HIGH)
Patch released
May 01, 2026 - 15:24 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26511
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()

In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring the F2FS_WB_CP_DATA counter to zero, unblocking f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount CPU. The unmount path then proceeds to call f2fs_destroy_page_array_cache(sbi), which destroys sbi->page_array_slab via kmem_cache_destroy(), and eventually kfree(sbi). Meanwhile, the bio completion callback is still executing: when it reaches page_array_free(sbi, ...), it dereferences sbi->page_array_slab - a destroyed slab cache - to call kmem_cache_free(), causing a use-after-free.

This is the same class of bug as CVE-2026-23234 (which fixed the equivalent race in f2fs_write_end_io() in data.c), but in the compressed writeback completion path that was not covered by that fix.

Fix this by moving dec_page_count() to after page_array_free(), so that all sbi accesses complete before the counter decrement that can unblock unmount. For non-last folios (where atomic_dec_return on cic->pending_pages is nonzero), dec_page_count is called immediately before returning - page_array_free is not reached on this path, so there is no post-decrement sbi access. For the last folio, page_array_free runs while the F2FS_WB_CP_DATA counter is still nonzero (this folio has not yet decremented it), keeping sbi alive, and dec_page_count runs as the final operation.

AnalysisAI

Use-after-free in Linux kernel f2fs compressed writeback allows local authenticated users to trigger memory corruption, potentially executing arbitrary code or causing system crashes. Affects f2fs-compressed filesystems in Linux kernel 5.6 through 7.1-rc2, with patches available in 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite CVSS 7.8 rating. This mirrors CVE-2026-23234's race condition pattern but in the compression code path that was missed by the earlier fix. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Technical ContextAI

The vulnerability resides in the f2fs (Flash-Friendly File System) compressed writeback completion handler (f2fs_compress_write_end_io()). F2fs is a Linux kernel filesystem optimized for flash storage that supports transparent compression. The bug is a classic use-after-free (CWE-416) caused by a race condition between bio completion callbacks and filesystem unmount operations. When dec_page_count() decrements the F2FS_WB_CP_DATA counter to zero, it can unblock f2fs_wait_on_all_pages() in the unmount path (f2fs_put_super()) running on another CPU. The unmount then proceeds to destroy sbi->page_array_slab via kmem_cache_destroy() and eventually kfree(sbi). However, the bio completion callback is still executing and subsequently calls page_array_free(), which dereferences the now-freed sbi->page_array_slab to call kmem_cache_free(), creating the use-after-free condition. This is a time-of-check/time-of-use (TOCTOU) race where the shared resource (sbi structure) is freed between validation and use. The vulnerability was introduced in commit 4c8ff7095bef64fc47e996a938f7d57f9e077da3, which added f2fs compression support in kernel 5.6.

RemediationAI

Upgrade to patched Linux kernel versions: 6.6.136 or later for LTS 6.6.x, 6.12.84 or later for stable 6.12.x, 7.0.2 or later for 7.0.x, or 7.1-rc1 or later for mainline. Kernel patches are available from kernel.org stable tree at https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a (mainline) and branch-specific commits linked in NVD references. For systems where immediate kernel upgrade is not feasible, disable f2fs compression as a compensating control by unmounting f2fs filesystems mounted with compression options (compress_algorithm, compress_log_size) and remounting without these options, though this sacrifices compression benefits and may require data migration if existing data is compressed. Alternatively, avoid unmounting f2fs filesystems with active compressed writeback by ensuring clean filesystem shutdown sequences, but this is unreliable as a security control. Restrict local user access to systems running vulnerable kernels with f2fs compression as a defense-in-depth measure, recognizing this only raises the bar for exploitation. Monitor for abnormal kernel crashes or memory corruption events in systems using f2fs compression as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26511 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy