CVE-2026-31702 Overview
CVE-2026-31702 is a use-after-free vulnerability [CWE-416] in the Linux kernel's f2fs (Flash-Friendly File System) compressed writeback completion path. The flaw resides in f2fs_compress_write_end_io(), where dec_page_count(sbi, type) can drop the F2FS_WB_CP_DATA counter to zero. This unblocks f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount, allowing the unmount path to free the superblock info (sbi) while the bio completion callback still dereferences sbi->page_array_slab.
This vulnerability is a sibling of CVE-2026-23234, which addressed the same race in f2fs_write_end_io() but did not cover the compressed writeback path.
Critical Impact
A local attacker triggering concurrent f2fs compressed writes and unmount operations can corrupt kernel memory, leading to local privilege escalation or kernel panic.
Affected Products
- Linux Kernel (multiple stable branches prior to the fix)
- Linux Kernel 7.1-rc1
- Linux Kernel 7.1-rc2
Discovery Timeline
- 2026-05-01 - CVE-2026-31702 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-31702
Vulnerability Analysis
The vulnerability is a race condition between f2fs compressed bio completion and filesystem unmount. When f2fs_compress_write_end_io() processes the last folio of a compressed cluster, it calls dec_page_count(sbi, type) which decrements F2FS_WB_CP_DATA. This decrement can satisfy f2fs_wait_on_all_pages() running in the concurrent unmount thread.
Once unblocked, f2fs_put_super() proceeds to call f2fs_destroy_page_array_cache(sbi), which destroys sbi->page_array_slab via kmem_cache_destroy(), and ultimately frees sbi. The bio completion callback continues executing on another CPU and reaches page_array_free(sbi, ...), dereferencing the freed slab cache pointer to call kmem_cache_free().
Root Cause
The root cause is incorrect ordering of operations within the bio completion handler. The lifetime-extending counter (F2FS_WB_CP_DATA) is decremented before all other accesses to sbi complete. This violates the implicit invariant that sbi must remain valid throughout the duration of the completion callback.
Attack Vector
Exploitation requires local access with the ability to perform filesystem operations on an f2fs volume with compression enabled, plus the ability to trigger an unmount. An attacker schedules concurrent compressed writes and an unmount operation, racing the bio completion path against f2fs_put_super(). Successful exploitation corrupts slab cache metadata, which can be leveraged for kernel memory corruption and privilege escalation.
The upstream fix moves dec_page_count() to execute after page_array_free(). For non-last folios, page_array_free is not reached, so no post-decrement sbi access occurs. For the last folio, page_array_free runs while the counter is still nonzero, keeping sbi alive until the final dec_page_count call.
Detection Methods for CVE-2026-31702
Indicators of Compromise
- Kernel oops or general protection fault messages referencing f2fs_compress_write_end_io, page_array_free, or kmem_cache_free in dmesg and /var/log/kern.log.
- KASAN reports identifying use-after-free in sbi->page_array_slab during f2fs unmount sequences.
- Unexpected kernel panics correlated with f2fs umount operations on systems with compression enabled.
Detection Strategies
- Enable CONFIG_KASAN on test and staging kernels to surface the use-after-free at the moment of occurrence.
- Audit running kernel versions across the fleet against the patched stable releases referenced in the kernel.org commit log.
- Monitor for processes performing rapid mount/unmount cycles on f2fs volumes alongside heavy compressed I/O.
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized logging system and alert on stack traces containing f2fs_compress_write_end_io.
- Track f2fs mount options across hosts to identify systems where the compress_algorithm mount option is in use.
- Correlate filesystem unmount events with subsequent kernel crash reports to identify exploitation attempts.
How to Mitigate CVE-2026-31702
Immediate Actions Required
- Apply the upstream stable kernel patches referenced in the Linux Kernel Commit Log that reorder dec_page_count() after page_array_free().
- Inventory all hosts using f2fs with compression enabled and prioritize them for kernel updates.
- Restrict local user access to systems running unpatched kernels until a patched build is deployed.
Patch Information
The fix is available in multiple stable branches via the following commits: 2c97dcb6, 39d4ee19, c76cf339, ef57cd33, and f5154cf3. Rebuild and reboot into the patched kernel after deployment.
Workarounds
- Disable f2fs compression by remounting affected volumes without the compress_algorithm mount option until patches are applied.
- Avoid using f2fs as a writable filesystem for untrusted local users on unpatched kernels.
- Restrict the CAP_SYS_ADMIN capability to prevent unprivileged unmount operations on f2fs volumes.
# Verify running kernel version and f2fs mount options
uname -r
mount | grep f2fs
# Remount f2fs volume without compression as a temporary workaround
mount -o remount,compress_algorithm= /mnt/f2fs_volume
# After applying the patched kernel, verify and reboot
apt list --installed 2>/dev/null | grep linux-image
systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
