CVE-2026-31715 Overview
CVE-2026-31715 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Flash-Friendly File System (f2fs) implementation. The flaw resides in the f2fs_write_end_io() write completion handler and was reproduced by both the xfstestsgeneric/107 case and syzbot. A race between concurrent checkpoint write completions and a filesystem unmount causes f2fs_in_warm_node_list() to dereference a NULL sbi->node_inode, leading to a kernel NULL pointer dereference and panic.
Critical Impact
A local authenticated user can trigger a kernel panic on systems mounting f2fs volumes, resulting in denial of service and potential memory corruption with high confidentiality, integrity, and availability impact.
Affected Products
- Linux Kernel (mainline, multiple stable branches)
- Linux Kernel 7.1-rc1
- Distributions shipping f2fs support prior to the fix commits
Discovery Timeline
- 2026-05-01 - CVE-2026-31715 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31715
Vulnerability Analysis
The vulnerability stems from a race window between f2fs write bio completion and superblock teardown. When f2fs_write_checkpoint issues F2FS_WB_CP_DATA writes, the bio completion path runs f2fs_write_end_io(), which calls dec_page_count(sbi, F2FS_WB_CP_DATA) and wakes waiters on sbi->cp_wait. The unmount path waits via f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA) before proceeding to f2fs_put_super(), which executes iput(sbi->node_inode) and assigns sbi->node_inode = NULL.
A concurrent bio completion can still be executing inside f2fs_write_end_io() after the page count reaches zero. When that callback subsequently calls f2fs_in_warm_node_list() to determine whether the folio belongs to the node inode, it dereferences the now-NULL sbi->node_inode pointer and panics.
Root Cause
The ordering inside f2fs_write_end_io() decrements sbi->nr_pages[F2FS_WB_CP_DATA] before invoking f2fs_in_warm_node_list(). This allows the unmount thread, which is gated only on the page count, to free node_inode while the completion handler is still using it. The result is a classic use-after-free against an inode object whose lifetime is shorter than the bio completion path expects.
Attack Vector
Exploitation requires local access with permissions to mount, write to, and unmount an f2fs volume. An attacker schedules checkpoint-class writes against an f2fs filesystem and races a concurrent unmount to cause f2fs_put_super() to release node_inode while a write bio completion is still in flight. The fix reorders operations so that f2fs_in_warm_node_list() runs before dec_page_count(), closing the race window. Detailed code changes are documented in the upstream patch series.
See the Linux Kernel Commit 7be222d for the corrective patch.
Detection Methods for CVE-2026-31715
Indicators of Compromise
- Kernel panic stack traces referencing f2fs_write_end_io, f2fs_in_warm_node_list, or is_node_folio during or shortly after f2fs unmount operations.
- Unexpected system crashes on hosts running f2fs workloads alongside xfstests or fuzzing tools such as syzkaller.
- dmesg entries showing NULL pointer dereferences with faulting addresses near the f2fs write completion path.
Detection Strategies
- Inventory running kernels and identify hosts with f2fs mounted that are not on a kernel containing commits 188bb65, 2d9c4a4, 7be222d, or 963d2e2.
- Monitor kernel crash dumps and kdump artifacts for the signature panic in f2fs_write_end_io().
- Correlate filesystem mount, unmount, and crash events on endpoints to identify race-condition triggering activity.
Monitoring Recommendations
- Forward /var/log/kern.log and journalctl -k output to a central logging or SIEM platform for kernel oops and panic detection.
- Track unprivileged or container processes performing repeated f2fs mount/unmount sequences, which may indicate triggering attempts.
- Alert on any process spawning mount -t f2fs followed by abnormal termination or kernel panic events on the same host.
How to Mitigate CVE-2026-31715
Immediate Actions Required
- Apply the upstream stable kernel update containing commits 188bb65f247a, 2d9c4a4ed4ee, 7be222de96c0, and 963d2e24d9d9.
- Restrict the ability to mount f2fs filesystems to trusted administrators by tightening CAP_SYS_ADMIN allocations and user namespace policies.
- Audit container and sandbox configurations to ensure unprivileged users cannot mount arbitrary f2fs images.
Patch Information
The fix calls f2fs_in_warm_node_list() before decrementing sbi->nr_pages[F2FS_WB_CP_DATA], ensuring sbi->node_inode is still valid throughout the bio completion. Patches are available in upstream stable trees: Linux Kernel Commit 188bb65, Linux Kernel Commit 2d9c4a4, and Linux Kernel Commit 963d2e2. Distribution vendors should ship rebuilt kernels containing these commits.
Workarounds
- Avoid using f2fs on multi-tenant or untrusted-user systems until the patched kernel is deployed.
- Disable the f2fs kernel module via modprobe.d blacklisting where the filesystem is not required.
- Prevent unprivileged mount operations by removing SYS_ADMIN capability from container runtimes and restricting /etc/fstab user mount options.
# Configuration example: blacklist f2fs where not required
echo 'blacklist f2fs' | sudo tee /etc/modprobe.d/blacklist-f2fs.conf
sudo update-initramfs -u
# Verify the running kernel includes the fix
uname -r
modinfo f2fs | grep -E 'filename|version'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
