{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46194","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.104Z","datePublished":"2026-05-28T09:36:47.461Z","dateUpdated":"2026-06-14T18:01:43.896Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T18:01:43.896Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix node_cnt race between extent node destroy and writeback\n\nf2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing\nextent nodes. When called from f2fs_drop_inode() with I_SYNC set,\nconcurrent kworker writeback can insert new extent nodes into the same\nextent tree, racing with the destroy and triggering f2fs_bug_on() in\n__destroy_extent_node(). The scenario is as follows:\n\ndrop inode                            writeback\n - iput\n  - f2fs_drop_inode  // I_SYNC set\n   - f2fs_destroy_extent_node\n    - __destroy_extent_node\n     - while (node_cnt) {\n        write_lock(&et->lock)\n        __free_extent_tree\n        write_unlock(&et->lock)\n                                       - __writeback_single_inode\n                                        - f2fs_outplace_write_data\n                                         - f2fs_update_read_extent_cache\n                                          - __update_extent_tree_range\n                                           // FI_NO_EXTENT not set,\n                                           // insert new extent node\n       } // node_cnt == 0, exit while\n     - f2fs_bug_on(node_cnt)  // node_cnt > 0\n\nAdditionally, __update_extent_tree_range() only checks FI_NO_EXTENT for\nEX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.\n\nThis patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),\nconsistent with other callers (__update_extent_tree_range and\n__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and\nEX_BLOCK_AGE tree."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/f2fs/extent_cache.c"],"versions":[{"version":"295b50e95e900da31ff237e46e04525fa799b2cf","lessThan":"42dd1c91f993431d0b399502479d00e6ad1bca71","status":"affected","versionType":"git"},{"version":"924f7dd1e832e4e4530d14711db223d2803f7b61","lessThan":"ab1eaf9d5c99042f5b0243bf67a06283a4c0757f","status":"affected","versionType":"git"},{"version":"3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343","lessThan":"b0e4395870eb3441ddc959f6710b5f6ca61aff26","status":"affected","versionType":"git"},{"version":"3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343","lessThan":"0559a0e962aacbb47519e26ee663be04b72dcb92","status":"affected","versionType":"git"},{"version":"3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343","lessThan":"ed78aeebef05212ef7dca93bd931e4eff67c113f","status":"affected","versionType":"git"},{"version":"6.6.66","lessThan":"6.6.140","status":"affected","versionType":"semver"},{"version":"6.12.5","lessThan":"6.12.88","status":"affected","versionType":"semver"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/f2fs/extent_cache.c"],"versions":[{"version":"6.13","status":"affected"},{"version":"0","lessThan":"6.13","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.7","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.66","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.5","versionEndExcluding":"6.12.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"7.0.7"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71"},{"url":"https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f"},{"url":"https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26"},{"url":"https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92"},{"url":"https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f"}],"title":"f2fs: fix node_cnt race between extent node destroy and writeback","x_generator":{"engine":"bippy-1.2.0"}}}}