CVE-2026-53303
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
In the Linux kernel's F2FS filesystem, a vulnerability was found where f2fs_sbi_show() reads the extension list, extension count, and hot extension count without holding the sb_lock. Concurrent modification via sysfs can cause inconsistent reads, potentially leading to out-of-bounds access or displaying stale data.
Risk Assessment
The risk involves potential data integrity issues in the F2FS filesystem and possible out-of-bounds access, which could lead to system crashes or unpredictable kernel behavior.
Recommendation
Immediately update the Linux kernel to a version containing the fix that protects the extension list read with sb_lock in f2fs_sbi_show().
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() In f2fs_sbi_show(), the extension_list, extension_count and hot_ext_count are read without holding sbi->sb_lock. If a concurrent sysfs store modifies the extension list via f2fs_update_extension_list(), the show path may read inconsistent count and array contents, potentially leading to out-of-bounds access or displaying stale data. Fix this by holding sb_lock around the entire extension list read and format operation.

