CVE-2026-23234
- Source
- https://cve.org/CVERecord?id=CVE-2026-23234
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23234.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23234
- Downstream
- Published
- 2026-03-04T14:36:38.843Z
- Modified
- 2026-03-09T23:55:54.108089Z
- Summary
- f2fs: fix to avoid UAF in f2fs_write_end_io()
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid UAF in f2fswriteend_io()
As syzbot reported an use-after-free issue in f2fswriteend_io().
It is caused by below race condition:
loop device umount - workerthread - loopprocesswork - doreqfilebacked - lorwaio - lorwaiocomplete - blkmqendrequest - blkupdaterequest - f2fswriteendio - decpagecount - folioendwriteback - killf2fssuper - killblocksuper - f2fsputsuper : free(sbi) : getpages(, F2FSWBCPDATA) accessed sbi which is freed
In killf2fssuper(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folioendwriteback().
Let's relocate ckpt thread wakeup flow before folioendwriteback() to resolve this issue.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23234.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/0fb58aff0dafd6837cc91f4154f3ed6e020358fa
- https://git.kernel.org/stable/c/2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9
- https://git.kernel.org/stable/c/505e1c0530db6152cab3feef8e3e4da3d3e358c9
- https://git.kernel.org/stable/c/995030be4ce6338c6ff814583c14166446a64008
- https://git.kernel.org/stable/c/a42f99be8a16b32a0bb91bb6dda212a6ad61be5d
- https://git.kernel.org/stable/c/acc2c97fc0005846e5cf11b5ba3189fef130c9b3
- https://git.kernel.org/stable/c/ce2739e482bce8d2c014d76c4531c877f382aa54
- https://git.kernel.org/stable/c/cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23234.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23234
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducede234088758fca3a669ebb1a02d8bf7bf60f0e4ffFixed0fb58aff0dafd6837cc91f4154f3ed6e020358faFixed2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9Fixed505e1c0530db6152cab3feef8e3e4da3d3e358c9Fixedacc2c97fc0005846e5cf11b5ba3189fef130c9b3Fixedcf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42Fixed995030be4ce6338c6ff814583c14166446a64008Fixeda42f99be8a16b32a0bb91bb6dda212a6ad61be5dFixedce2739e482bce8d2c014d76c4531c877f382aa54
Linux / Kernel
Package
- Name
- Kernel
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced3.13.0Fixed5.10.251
- Type
- ECOSYSTEM
- Events
-
Introduced5.11.0Fixed5.15.201
- Type
- ECOSYSTEM
- Events
-
Introduced5.16.0Fixed6.1.164
- Type
- ECOSYSTEM
- Events
-
Introduced6.2.0Fixed6.6.127
- Type
- ECOSYSTEM
- Events
-
Introduced6.7.0Fixed6.12.74
- Type
- ECOSYSTEM
- Events
-
Introduced6.13.0Fixed6.18.13
- Type
- ECOSYSTEM
- Events
-
Introduced6.19.0Fixed6.19.3