CVE-2026-46194 Overview
CVE-2026-46194 is a race condition vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation. The flaw resides in f2fs_destroy_extent_node(), which fails to set the FI_NO_EXTENT flag before clearing extent nodes. Concurrent kworker writeback can insert new extent nodes into the same extent tree while destruction is in progress, triggering a f2fs_bug_on() assertion in __destroy_extent_node(). The vulnerability affects systems running f2fs and may result in kernel panics or filesystem instability under specific concurrent I/O conditions.
Critical Impact
Concurrent execution of inode drop and writeback paths can trigger a kernel BUG assertion, leading to denial of service on systems using the f2fs filesystem.
Affected Products
- Linux kernel versions containing the affected f2fs extent node implementation
- Systems using the f2fs (Flash-Friendly File System) for storage
- Distributions shipping unpatched stable kernels
Discovery Timeline
- 2026-05-28 - CVE-2026-46194 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46194
Vulnerability Analysis
The vulnerability is a race condition [CWE-362] in the f2fs filesystem's extent tree management. When f2fs_drop_inode() runs with I_SYNC set, it invokes f2fs_destroy_extent_node(), which iterates over the extent tree and frees nodes under et->lock. At the same time, a kworker performing writeback can call __writeback_single_inode → f2fs_outplace_write_data → f2fs_update_read_extent_cache → __update_extent_tree_range, which inserts new extent nodes into the same tree.
Because FI_NO_EXTENT is not set during destruction, the writeback path has no signal to stop inserting nodes. After the destroy loop exits with node_cnt == 0, the inserted node leaves node_cnt > 0, triggering f2fs_bug_on(node_cnt) and a kernel BUG.
Root Cause
The root cause is missing synchronization state between two concurrent code paths operating on the same extent tree. f2fs_destroy_extent_node() did not set FI_NO_EXTENT under et->lock, diverging from other callers such as __update_extent_tree_range and __drop_extent_tree. Additionally, __update_extent_tree_range() only checked FI_NO_EXTENT for the EX_READ extent type, leaving EX_BLOCK_AGE updates entirely unprotected against this class of race.
Attack Vector
Triggering the race requires concurrent filesystem activity producing inode eviction with I_SYNC set while writeback is updating extent caches on the same inode. Exploitation is local and likely requires the ability to generate sustained I/O on f2fs volumes. The practical impact is a kernel assertion failure resulting in denial of service. No memory corruption primitive has been documented in the available references.
No verified code examples are available. See the upstream commits referenced below for the precise patch and reproduction context.
Detection Methods for CVE-2026-46194
Indicators of Compromise
- Kernel panic or BUG messages referencing __destroy_extent_node or f2fs_bug_on in dmesg or /var/log/kern.log
- Unexpected system reboots correlated with heavy f2fs write activity
- Stack traces showing f2fs_drop_inode and f2fs_outplace_write_data executing concurrently
Detection Strategies
- Audit kernel logs for f2fs BUG_ON assertions following inode eviction events
- Monitor running kernel versions across the fleet to identify systems lacking the upstream fix
- Correlate filesystem error events with workloads producing simultaneous writeback and inode drops
Monitoring Recommendations
- Centralize kernel log collection and alert on f2fs_bug_on or Oops patterns
- Track f2fs-specific performance counters and inode cache eviction rates
- Capture crash dumps via kdump for forensic analysis of kernel BUG events
How to Mitigate CVE-2026-46194
Immediate Actions Required
- Identify systems running f2fs and inventory kernel versions in use
- Apply the upstream stable kernel patches that introduce FI_NO_EXTENT under et->lock in __destroy_extent_node()
- Schedule reboots on patched systems to activate the corrected kernel
Patch Information
The fix sets FI_NO_EXTENT under et->lock in __destroy_extent_node(), aligning it with __update_extent_tree_range and __drop_extent_tree. The patch also extends the FI_NO_EXTENT check to cover both EX_READ and EX_BLOCK_AGE extent tree types. Upstream commits are available at the Linux Kernel commit 0559a0e962aa, commit 42dd1c91f993, commit ab1eaf9d5c99, commit b0e4395870eb, and commit ed78aeebef05.
Workarounds
- Migrate workloads off f2fs to ext4 or xfs where feasible until patches are deployed
- Reduce concurrent heavy write workloads on f2fs volumes to lower the probability of the race triggering
- Apply distribution stable kernel updates as soon as vendor backports become available
# Verify kernel version and check for f2fs mounts
uname -r
mount | grep f2fs
# After patching, reboot to activate fixed kernel
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
