Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Race condition requires precise concurrent timing between fsync and checkpoint (AC:H); local f2fs user access (PR:L); impact is permanent data loss mapped to availability (A:H), no confidentiality or unauthorized modification.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix data loss caused by incorrect use of nat_entry flag
Data loss can occur when fsync is performed on a newly created file (before any checkpoint has been written) concurrently with a checkpoint operation. The scenario is as follows:
create & write & fsync 'file A' write checkpoint
- f2fs_do_sync_file // inline inode
- f2fs_write_inode // inode folio is dirty
- f2fs_write_checkpoint
- f2fs_flush_merged_writes
- f2fs_sync_node_pages
- f2fs_flush_nat_entries
- f2fs_fsync_node_pages // no dirty node
- f2fs_need_inode_block_update // return false
SPO and lost 'file A'
f2fs_flush_nat_entries() sets the IS_CHECKPOINTED and HAS_LAST_FSYNC flags for the nat_entry, but this does not mean that the checkpoint has actually completed successfully. However, f2fs_need_inode_block_update() checks these flags and incorrectly assumes that the checkpoint has finished.
The root cause is that the semantics of IS_CHECKPOINTED and HAS_LAST_FSYNC are only guaranteed after the checkpoint write fully completes.
This patch modifies f2fs_need_inode_block_update() to acquire the sbi->node_write lock before reading the nat_entry flags, ensuring that once IS_CHECKPOINTED and HAS_LAST_FSYNC are observed to be set, the checkpoint operation has already completed.
AnalysisAI
Data loss in the Linux kernel's f2fs (Flash-Friendly File System) driver exposes files created and synced before any checkpoint has been written to permanent loss on sudden power off. The race condition between fsync on newly created files and concurrent checkpoint operations causes f2fs_need_inode_block_update() to misread prematurely set nat_entry flags (IS_CHECKPOINTED and HAS_LAST_FSYNC), leading fsync to skip the inode block flush it actually requires. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | f2fs must be the active filesystem on the affected storage volume - systems using ext4, XFS, btrfs, or any other filesystem are entirely unaffected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H rates this as Medium (5.5), but the AC:L assignment warrants scrutiny: this is a race condition requiring specific concurrent timing between fsync and checkpoint operations, which conventionally maps to AC:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a Linux system using f2fs-formatted storage creates a new file, writes data, and calls fsync while the kernel concurrently executes a checkpoint operation. The race causes fsync to skip flushing the inode block based on prematurely set nat_entry flags; if the system then experiences a sudden power loss or kernel panic, the file and all its written data are permanently lost with no recovery path from the filesystem journal. |
| Remediation | Upgrade to Linux kernel 7.1 or 7.0.10, which contain the upstream fix per EUVD affected version data; the authoritative fix commits are at https://git.kernel.org/stable/c/238e14eb7226f883b72caccd2d37bf5707df066b and https://git.kernel.org/stable/c/20cedb4d9f6b230d0ee469690b8f868f06a07c29. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Checkpoint
View allbackend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to e
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data
PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]
Check Point ZoneAlarm Extreme Security before 15.8.211.19229 allows local users to escalate privileges. Rated high sever
Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the inte
Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious che
Check Point Endpoint Security Initial Client for Windows before version E81.30 tries to load a DLL placed in any PATH lo
A hard-link created from log file archive of Check Point ZoneAlarm up to 15.4.062 or Check Point Endpoint Security clien
Multiple unspecified vulnerabilities in Check Point Security Gateway 80 R71.x before R71.45 (730159141) and R75.20.x bef
Arbitrary code execution via torch-checkpoint-shrink.py script in ml-engineering project allows remote attackers to exec
Check Point Endpoint Security Client for Windows, with the VPN blade, before version E80.83, starts a process without us
Arbitrary code execution in Snorkel machine learning library (≤v0.10.0) occurs when users load malicious model checkpoin
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38885
GHSA-f2m7-5m7m-7g2c