CVE-2026-46175: Linux F2FS Garbage Collection Fsck Inconsistency Vulnerability
A flaw in the Linux kernel's F2FS (Flash-Friendly File System) garbage collection process can cause the system to incorrectly track file metadata during node block migration. When the garbage collector moves data blocks, it fails to properly clear internal markers that indicate whether data has been explicitly synced by a user. This confusion causes file system consistency checks (fsck) to report false inconsistencies, potentially leading to data integrity warnings or failures. The issue is triggered by specific sequences of file creation, deletion, and garbage collection operations, particularly when the system experiences power loss after garbage collection but before a checkpoint is written.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix fsck inconsistency caused by FGGC of node block During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data. The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP SPO, "fsck --dry-run" find inode has already checkpointed but still with DENT_BIT_SHIFT set The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes. In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing. This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46175 affects the F2FS node block garbage collection (GC) logic in the Linux kernel. The vulnerability stems from improper handling of dentry and fsync mark bits during foreground garbage collection (FGGC) of node blocks. When FGGC migrates node blocks, the marks indicating fsync-written or dentried data are not cleared, causing fsck to misinterpret migrated blocks as user-issued fsync writes rather than garbage-collected metadata. Background GC (BGGC) handles this correctly via f2fs_sync_node_pages(), which clears these marks before writing. The fix consolidates mark management into __write_node_folio to ensure consistent behavior across both GC paths and guarantees mark clearing during FGGC.
Business impact
This vulnerability affects the reliability and trustworthiness of file system consistency verification on systems using F2FS—commonly deployed in mobile devices, SSDs, and embedded systems. False fsck inconsistencies can trigger unnecessary repair attempts, service interruptions, or data recovery workflows. In production environments relying on F2FS for high-performance storage, such false positives complicate troubleshooting and may erode confidence in automated filesystem health monitoring. The practical impact depends on how strictly administrators respond to fsck warnings, but the mislabeling of legitimate GC activity as data corruption introduces operational noise and diagnostic uncertainty.
Affected systems
The Linux kernel across all versions incorporating F2FS are potentially affected. F2FS is the default or available file system on Android devices, many embedded Linux systems, and specialized storage appliances. Systems explicitly using F2FS for performance reasons—such as those with flash-based primary storage—face the highest exposure. Filesystems using other kernel implementations (ext4, btrfs, XFS) are not affected. The vulnerability is triggered by specific workload patterns: inline inode creation followed by deletion, sync operations, and garbage collection cycles. Not all F2FS deployments will encounter the necessary conditions to trigger the inconsistency.
Exploitability
This is not a remote or privilege-escalation vulnerability. It requires local file system access and the ability to perform file operations (create, delete, sync) and trigger garbage collection. The CVSS vector reflects local access with low privilege required (PR:L), meaning a non-root user can initiate the sequence, though full impact may depend on file system mount permissions. There is no evidence this has been weaponized or exploited in the wild; the vulnerability was discovered through kernel testing and file system consistency analysis. Practical exploitation for malice would require sustained local access and specific timing—not a practical attack vector in most threat models, but a serious reliability concern for file system integrity.
Remediation
Apply a kernel patch that consolidates fsync and dentry mark management into __write_node_folio and ensures these marks are cleared during FGGC node block migration. Verify the patch against the vendor's official Linux kernel security advisory to confirm the exact commit and affected kernel versions. For F2FS-dependent systems (Android, embedded devices), check with your device manufacturer or distro for backported kernel updates. Until patched, avoid triggering the specific sequence (file creation, deletion, sync, GC) in mission-critical workloads, though this is impractical as general guidance. File system integrity checks (fsck) should be rerun after patching to clear any false warnings recorded on affected systems.
Patch guidance
Obtain the kernel patch from the Linux kernel stable releases or your distribution's security repository. The fix involves relocating the set/clear logic for fsync and dentry marks to __write_node_folio. Verify the patch commit hash and version applicability against the official Linux kernel security tracker. For Android devices and embedded systems, wait for OEM or distro backports; do not apply mainline patches directly without validation. Test patching in a non-production environment first, especially if F2FS is the primary storage medium, to confirm no regressions. Recompile and deploy the patched kernel following your organization's kernel update procedures.
Detection guidance
Monitor for repeated or unexplained fsck inconsistency reports on systems using F2FS, particularly those reporting 'inode has already checkpointed but still with DENT_BIT_SHIFT set' errors. Enable kernel debugging or verbose F2FS logging if available to correlate garbage collection activity with fsck warnings. File system integrity checks after unexpected power loss or system crashes may reveal false positives attributable to this bug. Cross-reference fsck reports against kernel versions and F2FS workload patterns; if reports spike after specific GC activity or file churn, suspect this vulnerability. Automated monitoring of fsck output can flag the telltale inconsistency signature before it causes downstream issues.
Why prioritize this
Despite the high CVSS score (7.1), this vulnerability's real-world impact is constrained by its specificity: it affects only F2FS, requires specific workload patterns, and does not enable privilege escalation or remote code execution. However, it poses a significant integrity risk for systems where F2FS is mission-critical, as false fsck reports can trigger unwarranted recovery procedures or data doubts. Prioritize patching if F2FS is your primary file system or if you rely on automated fsck verification for compliance or reliability assurance. For ext4-dominant environments, defer to lower priority unless F2FS is used for specific high-performance tiers. The high CVSS reflects integrity impact (I:H) and availability impact (A:H) from potential fsck-driven downtime, justifying elevated attention in F2FS-centric deployments.
Risk score, explained
The CVSS 3.1 score of 7.1 (HIGH) is driven by integrity and availability impacts (I:H, A:H) in a local attack context. No confidentiality loss is possible (C:N). The vector AV:L/AC:L/PR:L/UI:N indicates local, low-complexity, low-privilege access without user interaction. The high I and A ratings reflect the potential for mislabeled file system metadata and fsck-driven service interruption. However, the score does not account for the vulnerability's limited scope—it affects only F2FS and only under specific workload conditions—making it less critical than the numeric score might suggest for non-F2FS systems. Organizations should weight this score against their actual F2FS footprint and reliance on fsck for operational decisions.
Frequently asked questions
Does this affect my system if I use ext4 or btrfs?
No. This vulnerability is specific to F2FS (Flash-Friendly File System). If your primary file systems are ext4, btrfs, XFS, or other kernelspace implementations, you are not affected. Check your mount table with 'mount' or 'df -T' to confirm.
What does 'fsck inconsistency' mean in this context?
fsck is a file system consistency check utility. This vulnerability causes fsck to report false errors—specifically, that inodes are marked as containing fsync-written data when they actually contain garbage-collected metadata. These false positives don't represent actual corruption but can trigger unnecessary repair attempts or alerts, creating operational confusion.
Do I need to patch immediately, or can this wait?
If F2FS is not in use on your systems, patching is not urgent. If F2FS is your primary storage, prioritize patching, especially if you rely on automated fsck checks for compliance or monitoring. The vulnerability requires specific workload patterns to manifest, so systems with light file churn may not encounter it. However, production systems should be patched within a standard security update cycle to prevent surprise failures.
Will this patch affect my file system's performance?
The patch consolidates mark-management logic but does not fundamentally alter F2FS performance. Performance impact should be negligible. However, test in a staging environment first, particularly for high-IOPS workloads, to confirm no unforeseen regressions with your specific kernel version and F2FS configuration.
This analysis is based on the vulnerability disclosure and kernel patch description available as of the publication date. CVSS scores and vector details are sourced from official CVE records; verify against NVD or the vendor advisory for the authoritative assessment. Patch version numbers and availability must be confirmed against the Linux kernel security repository and your distribution's advisory—do not assume patch availability across all kernel versions or distributions simultaneously. This vulnerability does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog; exploit code in the wild is not documented, but this does not guarantee absence of weaponization. Organizations should conduct their own risk assessment based on F2FS adoption and operational posture. This document is informational and does not constitute security advice; consult your security team and vendor advisories for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment