{
  "public_date" : "2026-05-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()",
    "id" : "2464359",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2464359"
  },
  "cwe" : "CWE-825",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nf2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()\nThe xfstests case \"generic/107\" and syzbot have both reported a NULL\npointer dereference.\nThe concurrent scenario that triggers the panic is as follows:\nF2FS_WB_CP_DATA write callback          umount\n- f2fs_write_checkpoint\n- f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)\n- blk_mq_end_request\n- bio_endio\n- f2fs_write_end_io\n: dec_page_count(sbi, F2FS_WB_CP_DATA)\n: wake_up(&sbi->cp_wait)\n- kill_f2fs_super\n- kill_block_super\n- f2fs_put_super\n: iput(sbi->node_inode)\n: sbi->node_inode = NULL\n: f2fs_in_warm_node_list\n- is_node_folio // sbi->node_inode is NULL and panic\nThe root cause is that f2fs_put_super() calls iput(sbi->node_inode) and\nsets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is\ndecremented to zero. As a result, f2fs_in_warm_node_list() may\ndereference a NULL node_inode when checking whether a folio belongs to\nthe node inode, leading to a panic.\nThis patch fixes the issue by calling f2fs_in_warm_node_list() before\ndecrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the\nuse-after-free condition.", "A flaw was found in the Linux kernel's Flash-Friendly File System (f2fs). A use-after-free vulnerability exists due to incorrect handling of page counts during concurrent write operations and unmounting. This can lead to a NULL pointer dereference, causing the system to panic and resulting in a Denial of Service (DoS)." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31715\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31715\nhttps://lore.kernel.org/linux-cve-announce/2026050123-CVE-2026-31715-891c@gregkh/T" ],
  "name" : "CVE-2026-31715",
  "csaw" : false
}