CVE-2026-31715

Source
https://cve.org/CVERecord?id=CVE-2026-31715
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31715.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-31715
Downstream
Related
Published
2026-05-01T13:56:10.591Z
Modified
2026-06-23T03:54:20.553153976Z
Summary
f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()
Details

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix UAF caused by decrementing sbi->nrpages[] in f2fswriteendio()

The xfstests case "generic/107" and syzbot have both reported a NULL pointer dereference.

The concurrent scenario that triggers the panic is as follows:

F2FSWBCPDATA write callback umount - f2fswritecheckpoint - f2fswaitonallpages(sbi, F2FSWBCPDATA) - blkmqendrequest - bioendio - f2fswriteendio : decpagecount(sbi, F2FSWBCPDATA) : wakeup(&sbi->cpwait) - killf2fssuper - killblocksuper - f2fsputsuper : iput(sbi->nodeinode) : sbi->nodeinode = NULL : f2fsinwarmnodelist - isnodefolio // sbi->node_inode is NULL and panic

The root cause is that f2fsputsuper() calls iput(sbi->nodeinode) and sets sbi->nodeinode to NULL after sbi->nrpages[F2FSWBCPDATA] is decremented to zero. As a result, f2fsinwarmnodelist() may dereference a NULL node_inode when checking whether a folio belongs to the node inode, leading to a panic.

This patch fixes the issue by calling f2fsinwarmnodelist() before decrementing sbi->nrpages[F2FSWBCPDATA], thus preventing the use-after-free condition.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31715.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
50fa53eccf9f911a5b435248a2b0bd484fd82e5e
Fixed
7dbdab4430e4654db9aacef12b9b3b8b29ca25cb
Fixed
ffb94770dbdfb5411be5d9f44a960b010ec890ad
Fixed
0d40b26377f891e6dcb6efaf8ef9374c99be1b1d
Fixed
1171f329cf1c175321251ac40fd126150d7ad1e8
Fixed
7be222de96c0f9eee6e65eeb017ef855ee185cfa
Fixed
963d2e24d9d92a31e6773b0f642214f10013ebf7
Fixed
188bb65f247a7a7c62f287c9a263aee3cad96fa5
Fixed
2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31715.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.19.0
Fixed
5.10.259
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.210
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.176
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.140
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.86
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.25
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.2

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31715.json"