In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid uninit-value access in f2fssanitychecknodefooter
syzbot reported a f2fs bug as below:
BUG: KMSAN: uninit-value in f2fssanitychecknodefooter+0x374/0xa20 fs/f2fs/node.c:1520 f2fssanitychecknodefooter+0x374/0xa20 fs/f2fs/node.c:1520 f2fsfinishreadbio+0xe1e/0x1d60 fs/f2fs/data.c:177 f2fsreadendio+0x6ab/0x2220 fs/f2fs/data.c:-1 bioendio+0x1006/0x1160 block/bio.c:1792 submitbionoacct+0x533/0x2960 block/blk-core.c:891 submitbio+0x57a/0x620 block/blk-core.c:926 blkcryptosubmitbio include/linux/blk-crypto.h:203 [inline] f2fssubmitreadbio+0x12c/0x360 fs/f2fs/data.c:557 f2fssubmitpagebio+0xee2/0x1450 fs/f2fs/data.c:775 readnode_folio+0x384/0x4b0 fs/f2fs/node.c:1481 __getnodefolio+0x5db/0x15d0 fs/f2fs/node.c:1576 f2fsgetinodefolio+0x40/0x50 fs/f2fs/node.c:1623 doreadinode fs/f2fs/inode.c:425 [inline] f2fsiget+0x1209/0x9380 fs/f2fs/inode.c:596 f2fsfillsuper+0x8f5a/0xb2e0 fs/f2fs/super.c:5184 gettreebdevflags+0x6e6/0x920 fs/super.c:1694 gettreebdev+0x38/0x50 fs/super.c:1717 f2fsgettree+0x35/0x40 fs/f2fs/super.c:5436 vfsgettree+0xb3/0x5d0 fs/super.c:1754 fcmount fs/namespace.c:1193 [inline] donewmountfc fs/namespace.c:3763 [inline] donewmount+0x885/0x1dd0 fs/namespace.c:3839 pathmount+0x7a2/0x20b0 fs/namespace.c:4159 do_mount fs/namespace.c:4172 [inline] __dosysmount fs/namespace.c:4361 [inline] __sesysmount+0x704/0x7f0 fs/namespace.c:4338 _x64sysmount+0xe4/0x150 fs/namespace.c:4338 x64syscall+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls64.h:166 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0x134/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f
The root cause is: in f2fsfinishread_bio(), we may access uninit data in folio if we failed to read the data from device into folio, let's add a check condition to avoid such issue.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43349.json"
}