Skip to main content

Linux Kernel EUVDEUVD-2026-32821

| CVE-2026-46194 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-fjrm-vjgq-9rp6
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local-only race condition requiring low-privilege access and precise timing; pure availability impact via kernel panic, no confidentiality or integrity loss.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 21:44 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
4.7 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix node_cnt race between extent node destroy and writeback

f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows:

drop inode writeback

  • iput
  • f2fs_drop_inode // I_SYNC set
  • f2fs_destroy_extent_node
  • __destroy_extent_node
  • while (node_cnt) {

write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock)

  • __writeback_single_inode
  • f2fs_outplace_write_data
  • f2fs_update_read_extent_cache
  • __update_extent_tree_range

// FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while

  • f2fs_bug_on(node_cnt) // node_cnt > 0

Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.

This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.

AnalysisAI

Kernel panic via race condition in the f2fs filesystem extent node management affects Linux kernel across multiple stable branches. When f2fs_destroy_extent_node() is invoked from f2fs_drop_inode() with I_SYNC set, a concurrent kworker writeback thread can insert new extent nodes into the same extent tree between lock releases, causing node_cnt to become non-zero upon loop exit and triggering f2fs_bug_on() - a deliberate kernel assertion failure resulting in a system crash. A secondary gap leaves EX_BLOCK_AGE extent tree updates completely unprotected by the FI_NO_EXTENT flag check, compounding the race surface. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile), indicating low exploitation probability in the near term.

Technical ContextAI

The affected component is the f2fs (Flash-Friendly File System) extent cache subsystem in the Linux kernel, identified by CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. CWE-367 (Time-of-Check Time-of-Use / TOCTOU Race Condition) precisely describes the root cause: f2fs_destroy_extent_node() releases and reacquires et->lock in a while(node_cnt) loop via __free_extent_tree(), creating a window where concurrent __update_extent_tree_range() calls - triggered by kworker writeback through f2fs_outplace_write_data() - can insert new nodes. The guard flag FI_NO_EXTENT is not set before the loop begins, so writeback threads see no inhibitor. Separately, __update_extent_tree_range() only consulted FI_NO_EXTENT for EX_READ extent type, leaving EX_BLOCK_AGE age-based extent tracking entirely unguarded. The fix sets FI_NO_EXTENT under et->lock within __destroy_extent_node() and extends the FI_NO_EXTENT check to both EX_READ and EX_BLOCK_AGE tree types, consistent with existing callers __drop_extent_tree and __update_extent_tree_range.

RemediationAI

Upgrade to a patched kernel release: Linux 6.6.140, 6.12.88, 7.0.7, or 7.1-rc1 (mainline). The upstream fix commits are available at https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92 (6.13 branch), https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71, https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f, https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26, and https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f. For systems where kernel upgrades are not immediately feasible, the most effective compensating control is to avoid mounting f2fs filesystems on affected kernels; switching to ext4 or XFS eliminates the vulnerable code path entirely but requires data migration. Disabling the f2fs kernel module (if compiled as a module rather than built-in) via modprobe blacklist also eliminates the attack surface with no side effects on systems not dependent on f2fs. There is no known runtime configuration toggle to disable the extent cache independently without patching.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

EUVD-2026-32821 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy