CVE-2026-23265 Overview
A vulnerability has been identified in the Linux kernel's f2fs (Flash-Friendly File System) implementation. The flaw exists in the read_end_io and write_end_io functions where insufficient sanity checking on node footer data can lead to a kernel BUG condition when processing corrupted or maliciously crafted filesystem images.
When a node page with a corrupted footer is loaded using asynchronous methods such as f2fs_ra_node_pages() or f2fs_ra_node_page(), the inconsistency between the node page index (nid) and the footer.nid value goes undetected. Once the corrupted node page becomes dirty and is written back, the kernel triggers a BUG at fs/f2fs/data.c:358 during the f2fs_write_end_io() function.
Critical Impact
Mounting a maliciously crafted f2fs filesystem image can cause a kernel panic, resulting in system denial of service. This is particularly concerning for systems that automatically mount removable media or process untrusted filesystem images.
Affected Products
- Linux kernel with f2fs filesystem support enabled
- Systems processing untrusted f2fs filesystem images
- Storage systems and embedded devices using f2fs
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-23265 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-23265
Vulnerability Analysis
The vulnerability resides in the f2fs filesystem's I/O completion handlers. The f2fs filesystem maintains metadata in node pages, with each node page containing a footer structure that includes the node identifier (nid). During normal operation, the node page index should match the footer.nid value to ensure data integrity.
The issue arises because asynchronous read-ahead operations (f2fs_ra_node_pages() and f2fs_ra_node_page()) do not perform sanity checks on the node footer when loading pages into memory. When a fuzzed or corrupted filesystem image contains node pages with inconsistent footer data, these corrupted pages are loaded without validation.
The corruption remains undetected until the node page is marked dirty and subsequently written back to disk. At this point, f2fs_write_end_io() detects the inconsistency between the expected node page index and the actual footer.nid value, triggering a kernel BUG condition.
Root Cause
The root cause is missing input validation in the asynchronous node page read-ahead path. While synchronous read operations may include sanity checks, the asynchronous f2fs_ra_node_pages() and f2fs_ra_node_page() functions skip these validations for performance reasons. This creates a window where corrupted node footer data can enter the system undetected and cause a kernel panic during subsequent write operations.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious f2fs filesystem image with intentionally corrupted node footer data. The attack scenario involves:
- Creating an f2fs filesystem image with node pages containing mismatched footer.nid values
- Inducing the target system to mount the malicious filesystem
- Triggering read-ahead operations that load the corrupted node pages
- Causing the corrupted pages to become dirty through normal filesystem operations
- Waiting for the writeback operation to trigger the kernel BUG
The call trace from the kernel BUG shows the crash occurs in the interrupt context during block I/O completion, originating from blk_update_request through blk_done_softirq and ultimately reaching the f2fs write end I/O handler.
Detection Methods for CVE-2026-23265
Indicators of Compromise
- Kernel panic messages containing "kernel BUG at fs/f2fs/data.c:358"
- System crashes when mounting or accessing f2fs filesystems
- Stack traces showing f2fs_write_end_io in the call chain
- Unexpected system reboots after mounting removable storage formatted with f2fs
Detection Strategies
- Monitor kernel logs for BUG or panic messages referencing f2fs subsystem
- Implement file integrity monitoring on kernel modules and f2fs-related binaries
- Deploy runtime kernel monitoring to detect anomalous behavior in filesystem operations
- Configure crash dump collection to capture kernel panics for forensic analysis
Monitoring Recommendations
- Enable kernel crash dump (kdump) to capture diagnostic information during panics
- Monitor dmesg output for f2fs-related warning or error messages
- Implement alerting for unexpected system reboots or kernel panics
- Review mount logs for suspicious or untrusted f2fs filesystem mounts
How to Mitigate CVE-2026-23265
Immediate Actions Required
- Apply the latest kernel patches that include sanity checks for node footer validation
- Restrict the ability to mount untrusted filesystem images to privileged users only
- Consider disabling automatic mounting of removable media on sensitive systems
- Audit systems for exposure to untrusted f2fs filesystem images
Patch Information
The Linux kernel maintainers have released patches that add sanity checking on node footer data in both read and write end I/O paths. The fix ensures that node page footer validation occurs during asynchronous read-ahead operations, preventing corrupted pages from causing kernel panics during writeback.
Multiple patch commits have been published to address this vulnerability:
Workarounds
- Disable f2fs filesystem support if not required by blacklisting the f2fs kernel module
- Implement mount restrictions to prevent untrusted users from mounting f2fs filesystems
- Use alternative filesystems (ext4, xfs) for storage that may receive untrusted images
- Apply mandatory access control policies (SELinux, AppArmor) to restrict filesystem mounting
# Disable f2fs module loading as a temporary workaround
echo "blacklist f2fs" >> /etc/modprobe.d/blacklist-f2fs.conf
echo "install f2fs /bin/false" >> /etc/modprobe.d/blacklist-f2fs.conf
# Verify the module is not currently loaded
lsmod | grep f2fs
# If loaded, remove it (requires no mounted f2fs filesystems)
modprobe -r f2fs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
