CVE Catalog

CVE-2026-46194

MediumCVSS 4.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile - higher than 2% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel within the f2fs_destroy_extent_node() function, which does not set the FI_NO_EXTENT flag before clearing nodes. This can lead to a race condition between deletion and writeback operations, resulting in a f2fs_bug_on() error in the __destroy_extent_node() function.

Risk Assessment

This vulnerability may lead to unpredictable behavior of the F2FS file system, potentially resulting in data loss or system instability. Organizations should be aware of the risks associated with concurrent access to nodes in the tree.

Recommendation

It is recommended to update the Linux kernel to the latest version that includes fixes for this vulnerability. Additionally, systems should be monitored for any abnormal behavior related to F2FS.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS