CVE-2026-23234

ADVISORY - nist

Summary

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid UAF in f2fs_write_end_io()

As syzbot reported an use-after-free issue in f2fs_write_end_io().

It is caused by below race condition:

loop device umount

  • worker_thread
  • loop_process_work
  • do_req_filebacked
  • lo_rw_aio - lo_rw_aio_complete
    • blk_mq_end_request
    • blk_update_request
    • f2fs_write_end_io
    • dec_page_count
    • folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi)

    : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed

In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback().

Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue.

EPSS Score: 0.00119 (0.021)

Common Weakness Enumeration (CWE)

ADVISORY - nist

Use After Free


NIST

CREATED

UPDATED

EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)

CVSS SCORE

7.8high

Debian

CREATED

UPDATED

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Ubuntu

CREATED

UPDATED

EXPLOITABILITY SCORE

1.8

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.8low

Red Hat

CREATED

UPDATED

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

Oracle

CREATED

UPDATED

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Ahigh

Photon

CREATED

UPDATED

ADVISORY ID

CVE-2026-23234

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

7.8high