MEDIUM 4.7

CVE-2026-46194: Linux F2FS Extent Node Race Condition Leading to Kernel Crash

A race condition exists in the Linux kernel's F2FS file system implementation that can cause a kernel crash. When an inode is being dropped from memory, the extent node destruction process does not properly signal that no new extent nodes should be added. Meanwhile, concurrent write-back operations may attempt to insert new extent nodes, creating a collision that triggers a kernel bug check. The vulnerability affects systems using F2FS, particularly in multi-threaded I/O scenarios where inode cleanup and write-back operations overlap.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.7 MEDIUM · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-367
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix node_cnt race between extent node destroy and writeback f2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing extent nodes. When called from f2fs_drop_inode() with I_SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs_bug_on() in __destroy_extent_node(). The scenario is as follows: drop inode writeback - iput - f2fs_drop_inode // I_SYNC set - f2fs_destroy_extent_node - __destroy_extent_node - while (node_cnt) { write_lock(&et->lock) __free_extent_tree write_unlock(&et->lock) - __writeback_single_inode - f2fs_outplace_write_data - f2fs_update_read_extent_cache - __update_extent_tree_range // FI_NO_EXTENT not set, // insert new extent node } // node_cnt == 0, exit while - f2fs_bug_on(node_cnt) // node_cnt > 0 Additionally, __update_extent_tree_range() only checks FI_NO_EXTENT for EX_READ type, leaving EX_BLOCK_AGE updates completely unprotected. This patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(), consistent with other callers (__update_extent_tree_range and __drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and EX_BLOCK_AGE tree.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46194 is a use-after-free race condition in F2FS's extent node management. The flaw occurs because f2fs_destroy_extent_node() fails to set the FI_NO_EXTENT flag before clearing extent nodes. When f2fs_drop_inode() is called with I_SYNC set, concurrent writeback via __writeback_single_inode() can invoke f2fs_update_read_extent_cache() and __update_extent_tree_range(), inserting new extent nodes into the extent tree even as __destroy_extent_node() attempts to clear it. This creates a window where node_cnt can be incremented after the loop that frees extent nodes exits, causing f2fs_bug_on(node_cnt) to fire. Additionally, the FI_NO_EXTENT flag check in __update_extent_tree_range() only applies to EX_READ type extent trees, leaving EX_BLOCK_AGE updates unprotected. The fix requires setting FI_NO_EXTENT under the extent tree lock in __destroy_extent_node() and enforcing the flag check for both extent tree types.

Business impact

This vulnerability can cause unplanned kernel crashes on systems running affected Linux kernel versions with F2FS as the active file system. For organizations relying on F2FS (common in embedded systems, Android devices, and certain SSD deployments), a crash can lead to service interruptions, data loss if writes are in-flight, and operational overhead for system restarts. The medium CVSS score reflects the local privilege requirement and the need for specific I/O patterns to manifest, but the impact—a denial of service via kernel crash—is significant for availability-sensitive deployments.

Affected systems

The Linux kernel is affected, specifically the F2FS file system subsystem. Systems using F2FS as the primary or secondary file system are at risk, including but not limited to Android devices, embedded Linux systems, and servers configured with F2FS storage. Exposure requires local access or the ability to trigger I/O patterns that cause concurrent inode drop and writeback operations. Systems using ext4, btrfs, or other file systems are not affected.

Exploitability

Exploitability is low to moderate. The vulnerability requires local code execution capability and precise timing between inode drop and writeback operations. An unprivileged local user with I/O access could potentially trigger the race condition through sustained file operations that force frequent inode recycling and concurrent write-back. The AC:H (Attack Complexity High) CVSS metric reflects that reliable triggering requires specific system state and timing. No public exploit code exists, and practical weaponization would require detailed knowledge of F2FS internals and system load patterns.

Remediation

The fix involves two core changes to the kernel's F2FS implementation: (1) setting the FI_NO_EXTENT flag under the extent tree lock (et->lock) inside __destroy_extent_node() to atomically signal that no new extent nodes should be inserted, and (2) extending the FI_NO_EXTENT flag check in __update_extent_tree_range() to protect both EX_READ and EX_BLOCK_AGE extent tree types. These changes ensure that extent tree destruction and concurrent writeback operations are properly serialized, preventing the race condition.

Patch guidance

Verify the kernel version against your distribution's security advisory. Linux kernel patches addressing this vulnerability set FI_NO_EXTENT under et->lock in __destroy_extent_node() and add FI_NO_EXTENT checks for both EX_READ and EX_BLOCK_AGE extent trees. Confirm the patch is included in kernel updates released after the CVE publication date (2026-05-28). Test the patched kernel in a staging environment to ensure F2FS stability before production deployment. Coordinate with storage and file system teams to validate that the patch does not interfere with F2FS performance tuning or existing configurations.

Detection guidance

Monitor kernel logs for f2fs_bug_on() panics, particularly those referencing node_cnt mismatch or extent node operations. Systems experiencing repeated kernel crashes tied to F2FS file system operations should be investigated for this race condition. Use kernel debugging tools (ftrace, kprobes) to capture the call stack leading to the crash; look for concurrent calls to f2fs_drop_inode() and f2fs_update_read_extent_cache(). On systems with persistent logging, audit crash dumps for f2fs-related backtraces. Performance monitoring showing I/O stalls followed by sudden restarts may also signal this vulnerability being triggered.

Why prioritize this

Prioritize this vulnerability for systems actively using F2FS, particularly in production environments where kernel crashes directly impact availability. The MEDIUM CVSS reflects the local-only attack vector and timing complexity, but the consequence—kernel panic and system downtime—justifies timely patching. Organizations running Android, embedded IoT systems, or F2FS-backed storage should prioritize remediation. Systems using other file systems can deprioritize but should still update kernel packages during regular maintenance windows.

Risk score, explained

The CVSS v3.1 score of 4.7 (MEDIUM) is driven by: Local Attack Vector (AV:L) limiting exposure to authenticated users; High Attack Complexity (AC:H) reflecting the need to trigger specific race conditions; Low privilege requirement (PR:L) allowing unprivileged users; no confidentiality or integrity impact; and High availability impact (A:H) from kernel crash. The score appropriately reflects that while exploitation requires local access and precise timing, the ultimate impact—denial of service—is severe for affected deployments.

Frequently asked questions

What file systems am I using, and am I affected?

You are affected if you are actively using F2FS as your file system. Check with 'mount | grep f2fs' on Linux systems. Systems using ext4, btrfs, XFS, or other file systems are not affected. Android devices typically use F2FS; embedded systems and some NAS appliances may also use it. If you are unsure, consult your system or device documentation.

How likely is this vulnerability to crash my system in normal operation?

Likelihood depends on your I/O workload. The vulnerability requires concurrent inode drop and writeback operations, which is more likely under heavy I/O load or when memory pressure forces frequent inode recycling. Lightly loaded systems or those with infrequent file operations may rarely or never trigger the race. However, once triggered, the crash is near-certain, so any F2FS deployment should apply the patch.

Can an attacker on a remote network trigger this?

No. This vulnerability requires local code execution or direct I/O access. Remote attackers cannot trigger it over the network. It is primarily a concern for multi-user systems or systems where untrusted local code can run (e.g., shared hosting, Android app execution).

What is the difference between EX_READ and EX_BLOCK_AGE extent types?

EX_READ extent nodes track read access patterns for optimization, while EX_BLOCK_AGE extent nodes track block age for garbage collection decisions. The original vulnerability only protected EX_READ from concurrent insertion during inode drop; the fix ensures both types respect the FI_NO_EXTENT flag, preventing either from racing with extent tree destruction.

This analysis is provided for informational purposes and should not be construed as professional security advice. Organizations should verify all patches against their distribution's official security advisory and perform thorough testing before deploying kernel updates. The CVSS score and vulnerability details are based on data available as of the publication date and may be subject to updates by the vendor or CVSS scoring authority. No exploit code or proof-of-concept is provided. Actual risk depends on your specific environment, file system configuration, and operational practices. Consult with your Linux distribution maintainer or kernel vendor for definitive guidance on applicability and remediation timelines. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).