{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31715","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.133Z","datePublished":"2026-05-01T13:56:10.591Z","dateUpdated":"2026-05-11T22:14:21.419Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:14:21.419Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()\n\nThe xfstests case \"generic/107\" and syzbot have both reported a NULL\npointer dereference.\n\nThe concurrent scenario that triggers the panic is as follows:\n\nF2FS_WB_CP_DATA write callback          umount\n                                        - f2fs_write_checkpoint\n                                         - f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)\n- blk_mq_end_request\n - bio_endio\n  - f2fs_write_end_io\n   : dec_page_count(sbi, F2FS_WB_CP_DATA)\n   : wake_up(&sbi->cp_wait)\n                                        - kill_f2fs_super\n                                         - kill_block_super\n                                          - f2fs_put_super\n                                           : iput(sbi->node_inode)\n                                           : sbi->node_inode = NULL\n   : f2fs_in_warm_node_list\n    - is_node_folio // sbi->node_inode is NULL and panic\n\nThe root cause is that f2fs_put_super() calls iput(sbi->node_inode) and\nsets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is\ndecremented to zero. As a result, f2fs_in_warm_node_list() may\ndereference a NULL node_inode when checking whether a folio belongs to\nthe node inode, leading to a panic.\n\nThis patch fixes the issue by calling f2fs_in_warm_node_list() before\ndecrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the\nuse-after-free condition."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/f2fs/data.c"],"versions":[{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"7be222de96c0f9eee6e65eeb017ef855ee185cfa","status":"affected","versionType":"git"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"963d2e24d9d92a31e6773b0f642214f10013ebf7","status":"affected","versionType":"git"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"188bb65f247a7a7c62f287c9a263aee3cad96fa5","status":"affected","versionType":"git"},{"version":"50fa53eccf9f911a5b435248a2b0bd484fd82e5e","lessThan":"2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/f2fs/data.c"],"versions":[{"version":"4.19","status":"affected"},{"version":"0","lessThan":"4.19","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.25","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.2","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1-rc1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19","versionEndExcluding":"6.18.25"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19","versionEndExcluding":"7.0.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19","versionEndExcluding":"7.1-rc1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7be222de96c0f9eee6e65eeb017ef855ee185cfa"},{"url":"https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7"},{"url":"https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5"},{"url":"https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53"}],"title":"f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()","x_generator":{"engine":"bippy-1.2.0"}}}}