GHSA-CHRJ-6658-798C
Vulnerability from github – Published: 2026-03-04 15:30 – Updated: 2026-03-04 15:30In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to avoid UAF in f2fs_write_end_io()
As syzbot reported an use-after-free issue in f2fs_write_end_io().
It is caused by below race condition:
loop device umount - worker_thread - loop_process_work - do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed
In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback().
Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue.
{
"affected": [],
"aliases": [
"CVE-2026-23234"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-04T15:16:13Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_write_end_io()\n\nAs syzbot reported an use-after-free issue in f2fs_write_end_io().\n\nIt is caused by below race condition:\n\nloop device\t\t\t\tumount\n- worker_thread\n - loop_process_work\n - do_req_filebacked\n - lo_rw_aio\n - lo_rw_aio_complete\n - blk_mq_end_request\n - blk_update_request\n - f2fs_write_end_io\n - dec_page_count\n - folio_end_writeback\n\t\t\t\t\t- kill_f2fs_super\n\t\t\t\t\t - kill_block_super\n\t\t\t\t\t - f2fs_put_super\n\t\t\t\t\t : free(sbi)\n : get_pages(, F2FS_WB_CP_DATA)\n accessed sbi which is freed\n\nIn kill_f2fs_super(), we will drop all page caches of f2fs inodes before\ncall free(sbi), it guarantee that all folios should end its writeback, so\nit should be safe to access sbi before last folio_end_writeback().\n\nLet\u0027s relocate ckpt thread wakeup flow before folio_end_writeback() to\nresolve this issue.",
"id": "GHSA-chrj-6658-798c",
"modified": "2026-03-04T15:30:36Z",
"published": "2026-03-04T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23234"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0fb58aff0dafd6837cc91f4154f3ed6e020358fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f67ff1e15a8a4d0e4ffc6564ab20d03d7398fe9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/505e1c0530db6152cab3feef8e3e4da3d3e358c9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/995030be4ce6338c6ff814583c14166446a64008"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a42f99be8a16b32a0bb91bb6dda212a6ad61be5d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/acc2c97fc0005846e5cf11b5ba3189fef130c9b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ce2739e482bce8d2c014d76c4531c877f382aa54"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf4a9e1bc8129eb63fda5f8bdcd8d87f0bd76f42"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.