Skip to main content

Linux Kernel EUVDEUVD-2026-28633

| CVE-2026-43349 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9fq9-rx75-mm5g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 21:31 vuln.today
CVSS changed
May 15, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:17 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer

syzbot reported a f2fs bug as below:

BUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177 f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1 bio_endio+0x1006/0x1160 block/bio.c:1792 submit_bio_noacct+0x533/0x2960 block/blk-core.c:891 submit_bio+0x57a/0x620 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557 f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775 read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481 __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576 f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623 do_read_inode fs/f2fs/inode.c:425 [inline] f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596 f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694 get_tree_bdev+0x38/0x50 fs/super.c:1717 f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x885/0x1dd0 fs/namespace.c:3839 path_mount+0x7a2/0x20b0 fs/namespace.c:4159 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338 x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The root cause is: in f2fs_finish_read_bio(), we may access uninit data in folio if we failed to read the data from device into folio, let's add a check condition to avoid such issue.

AnalysisAI

Use of uninitialized memory in Linux kernel f2fs filesystem node footer validation causes local denial of service. Linux kernel versions 7.0 through 7.1-rc1 with f2fs support allow local authenticated users to trigger a kernel crash by mounting a maliciously crafted f2fs filesystem image. The vulnerability occurs when f2fs_sanity_check_node_footer() accesses uninitialized folio data after a failed disk read operation during filesystem mount, as reported by syzbot. EPSS score of 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. Vendor patches available for stable kernel branches 6.18.25, 7.0.2, and 7.1-rc1.

Technical ContextAI

This vulnerability affects the Linux kernel's Flash-Friendly File System (f2fs), specifically in the node footer sanity checking logic. F2fs is a log-structured filesystem designed for flash-based storage devices. The issue manifests in the f2fs_finish_read_bio() function during bio (block I/O) completion handling. When the filesystem attempts to read node metadata from storage during inode initialization (f2fs_iget path during mount), the code path proceeds to validate node footer data via f2fs_sanity_check_node_footer() even when the preceding bio read operation has failed to populate the folio (page cache structure). This represents a classic CWE-908 (Use of Uninitialized Resource) vulnerability where kernel memory sanitization assumptions break down in error paths. The CPE strings indicate broad kernel version ranges are affected, with git commits showing the vulnerability window spans from commit 50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4 through the 7.0 release series until patched in 7.1-rc1, 7.0.2, and 6.18.25 stable branches.

RemediationAI

Upgrade to patched Linux kernel versions: 7.1-rc1 or later for mainline users, 7.0.2 for stable 7.0 branch users, or 6.18.25 for LTS 6.18 branch users, per git.kernel.org stable commit references https://git.kernel.org/stable/c/59970b2586fef4b13e96527b9d232bed30b640cd, https://git.kernel.org/stable/c/7b9161a605e91d0987e2596a245dc1f21621b23f, and https://git.kernel.org/stable/c/a10b89343d41ceee1af0ec38d3a74e526c77fa09. For systems that cannot immediately patch, implement compensating controls: disable f2fs filesystem support by blacklisting the f2fs kernel module (echo 'blacklist f2fs' >> /etc/modprobe.d/blacklist.conf), which prevents mounting any f2fs filesystems but eliminates the attack surface-acceptable tradeoff if f2fs is not operationally required. Restrict mount privileges to root-only users via fstab noauto options and remove user mount permissions from /etc/fstab and pam_mount configurations. Disable USB auto-mounting services (udisks2, gvfs) on multi-user systems to prevent untrusted f2fs images from being automatically mounted. Note that disabling f2fs will break systems relying on f2fs-formatted storage; validate dependencies before implementing. Distribution-specific security advisories should be monitored for backported patches in enterprise kernels (RHEL, Ubuntu, SLES).

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed

Share

EUVD-2026-28633 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy