Skip to main content

Linux Kernel EUVDEUVD-2026-26524

| CVE-2026-31715 HIGH
Use After Free (CWE-416)
2026-05-01 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 06, 2026 - 21:22 vuln.today
CVSS changed
May 06, 2026 - 21:22 NVD
7.8 (HIGH)
Patch released
May 01, 2026 - 15:24 nvd
Patch available
Patch available
May 01, 2026 - 15:02 EUVD
EUVD ID Assigned
May 01, 2026 - 14:22 euvd
EUVD-2026-26524
CVE Published
May 01, 2026 - 14:16 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:16 nvd
N/A

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()

The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference.

The concurrent scenario that triggers the panic is as follows:

F2FS_WB_CP_DATA write callback umount

  • f2fs_write_checkpoint
  • f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)
  • blk_mq_end_request
  • bio_endio
  • f2fs_write_end_io

: dec_page_count(sbi, F2FS_WB_CP_DATA) : wake_up(&sbi->cp_wait)

  • kill_f2fs_super
  • kill_block_super
  • f2fs_put_super

: iput(sbi->node_inode) : sbi->node_inode = NULL : f2fs_in_warm_node_list

  • is_node_folio // sbi->node_inode is NULL and panic

The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is decremented to zero. As a result, f2fs_in_warm_node_list() may dereference a NULL node_inode when checking whether a folio belongs to the node inode, leading to a panic.

This patch fixes the issue by calling f2fs_in_warm_node_list() before decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the use-after-free condition.

AnalysisAI

Use-after-free in Linux kernel F2FS filesystem allows local authenticated attackers to trigger kernel panic or potentially achieve code execution. The vulnerability (CWE-416) occurs during concurrent write callback and unmount operations when f2fs_write_end_io() decrements page count before checking node inode validity, leading to NULL pointer dereference. Discovered via xfstests generic/107 and syzbot fuzzing. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed. Vendor patches available across stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.

Technical ContextAI

The F2FS (Flash-Friendly File System) is a log-structured filesystem designed for NAND flash storage in the Linux kernel. This use-after-free vulnerability (CWE-416: Use After Free) stems from a race condition in the write completion callback path. The f2fs_write_end_io() function handles I/O completion for checkpoint data writes (F2FS_WB_CP_DATA). The vulnerable code path decrements the sbi->nr_pages reference counter and wakes waiters, then calls f2fs_in_warm_node_list() which dereferences sbi->node_inode. Concurrently, the unmount path (f2fs_put_super) waits for nr_pages to reach zero, then immediately calls iput(sbi->node_inode) and sets the pointer to NULL. The race window allows the write callback to access the freed node_inode pointer after it has been deallocated, violating temporal memory safety. The CPE strings indicate affected versions span from Linux 4.19 through 7.1-rc1, suggesting long-standing code present across multiple stable branches.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.25 or later in the 6.x stable series, 7.0.2 or later in the 7.0 stable series, or 7.1-rc1 and later in the development branch. Apply vendor-provided kernel updates containing commits 188bb65f247a, 963d2e24d9d9, or 2d9c4a4ed4ee depending on your kernel branch. Patch details at https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5. The fix reorders operations in f2fs_write_end_io() to call f2fs_in_warm_node_list() before decrementing the page counter, closing the race window. If immediate patching is not feasible, consider disabling F2FS filesystem support if not actively used (filesystem can be disabled in kernel configuration via CONFIG_F2FS_FS), though this breaks functionality for systems relying on F2FS. Avoid frequent mount/unmount cycles of F2FS filesystems during heavy write I/O operations to reduce race condition triggering probability, though this is operationally impractical for most use cases. No application-layer mitigations exist as this is a kernel-internal race condition. Monitor kernel crash logs for NULL pointer dereferences in f2fs_in_warm_node_list or f2fs_write_end_io as potential exploitation indicators.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26524 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy