CVE-2026-31702

Source
https://cve.org/CVERecord?id=CVE-2026-31702
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31702.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31702
Downstream
Related
Published
2026-05-01T13:56:01.601Z
Modified
2026-06-18T03:54:56.561933424Z
Summary
f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix use-after-free of sbi in f2fscompresswriteendio()

In f2fscompresswriteendio(), decpagecount(sbi, type) can bring the F2FSWBCPDATA counter to zero, unblocking f2fswaitonallpages() in f2fsputsuper() on a concurrent unmount CPU. The unmount path then proceeds to call f2fsdestroypagearraycache(sbi), which destroys sbi->pagearrayslab via kmemcachedestroy(), and eventually kfree(sbi). Meanwhile, the bio completion callback is still executing: when it reaches pagearrayfree(sbi, ...), it dereferences sbi->pagearrayslab — a destroyed slab cache — to call kmemcache_free(), causing a use-after-free.

This is the same class of bug as CVE-2026-23234 (which fixed the equivalent race in f2fswriteend_io() in data.c), but in the compressed writeback completion path that was not covered by that fix.

Fix this by moving decpagecount() to after pagearrayfree(), so that all sbi accesses complete before the counter decrement that can unblock unmount. For non-last folios (where atomicdecreturn on cic->pendingpages is nonzero), decpagecount is called immediately before returning — pagearrayfree is not reached on this path, so there is no post-decrement sbi access. For the last folio, pagearrayfree runs while the F2FSWBCPDATA counter is still nonzero (this folio has not yet decremented it), keeping sbi alive, and decpagecount runs as the final operation.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31702.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4c8ff7095bef64fc47e996a938f7d57f9e077da3
Fixed
57bc678f36ac03281e877c6b84877b43f964143f
Fixed
ef57cd3329b40c739b9a2e1a8a21ecc4171c6280
Fixed
f5154cf3ce1c8193f0c1891d3769f62740cfe6fe
Fixed
c76cf339b87975ae5b2c06d2d774d5667d25a12a
Fixed
2c97dcb6147c8f7f25c629b93be1e69617de5d4a
Fixed
39d4ee19c1e7d753dd655aebee632271b171f43a

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31702.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.6.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.84
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.25
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.2

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31702.json"