Vulnerabilities ›

CVE-2026-31702

High

CWE-416 — Weakness Type

                    Published: May 1, 2026                      ·  Modified: May 8, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io()

In f2fs_compress_write_end_io(), dec_page_count(sbi, type) can bring
the F2FS_WB_CP_DATA counter to zero, unblocking
f2fs_wait_on_all_pages() in f2fs_put_super() on a concurrent unmount
CPU. The unmount path then proceeds to call
f2fs_destroy_page_array_cache(sbi), which destroys
sbi->page_array_slab via kmem_cache_destroy(), and eventually
kfree(sbi). Meanwhile, the bio completion callback is still executing:
when it reaches page_array_free(sbi, ...), it dereferences
sbi->page_array_slab — a destroyed slab cache — to call
kmem_cache_free(), causing a use-after-free.

This is the same class of bug as CVE-2026-23234 (which fixed the
equivalent race in f2fs_write_end_io() in data.c), but in the
compressed writeback completion path that was not covered by that fix.

Fix this by moving dec_page_count() to after page_array_free(), so
that all sbi accesses complete before the counter decrement that can
unblock unmount. For non-last folios (where atomic_dec_return on
cic->pending_pages is nonzero), dec_page_count is called immediately
before returning — page_array_free is not reached on this path, so
there is no post-decrement sbi access. For the last folio,
page_array_free runs while the F2FS_WB_CP_DATA counter is still
nonzero (this folio has not yet decremented it), keeping sbi alive,
and dec_page_count runs as the final operation.

🤖 AI Executive Summary

CVE-2026-31702 is a use-after-free vulnerability in the Linux kernel's F2FS file system compression write completion handler. The vulnerability occurs when a concurrent unmount operation destroys the sbi (superblock info) structure while a bio completion callback is still executing, leading to potential kernel crashes or privilege escalation. This is a high-severity issue affecting systems using F2FS with compression enabled, particularly in data center and enterprise environments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 6, 2026 23:19

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations operating Linux-based infrastructure, particularly: (1) Government entities (NCA, CITC) running critical systems on F2FS-enabled servers; (2) Banking sector (SAMA-regulated institutions, major banks) using Linux for transaction processing and data storage; (3) Telecommunications providers (STC, Mobily, Zain) managing network infrastructure; (4) Energy sector (Saudi Aramco, SEC) operating SCADA and data management systems; (5) Healthcare institutions using Linux servers for patient data storage. The vulnerability could lead to system crashes, data corruption, or unauthorized access if exploited in multi-tenant or high-concurrency environments.

🏢 Affected Saudi Sectors

Government Banking Telecommunications Energy Healthcare Data Centers Cloud Service Providers

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service T1561 - Disk Wipe T1561.001 - Disk Content Wipe T1499.004 - Application Exhaustion Flood T1203 - Exploitation for Client Execution

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all Linux systems using F2FS file system with compression enabled (check mount options: mount | grep f2fs)

2. Prioritize systems in production environments, particularly those with high I/O concurrency

3. Implement monitoring for kernel panic logs and unexpected system reboots



Patching Guidance:

1. Apply the latest Linux kernel patch that includes the F2FS compression write-end-io fix

2. For kernel versions 7.1-rc1 and later, update to patched versions immediately

3. Test patches in non-production environments before deployment

4. Schedule maintenance windows for kernel updates on critical systems



Compensating Controls (if immediate patching not possible):

1. Disable F2FS compression if not critical to operations (mount with -o compress_algorithm=none)

2. Reduce concurrent I/O operations to minimize race condition window

3. Implement watchdog timers to detect and restart hung processes

4. Enable kernel crash dumps (kdump) for post-incident analysis



Detection Rules:

1. Monitor kernel logs for: 'use-after-free', 'page_array_slab', 'f2fs_compress_write_end_io'

2. Alert on unexpected kernel panics or BUG messages related to F2FS

3. Track system uptime anomalies indicating frequent crashes

4. Monitor memory corruption indicators in dmesg logs

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أنظمة لينكس التي تستخدم نظام الملفات F2FS مع تفعيل الضغط (تحقق من خيارات التثبيت: mount | grep f2fs)

2. إعطاء الأولوية للأنظمة في بيئات الإنتاج، خاصة تلك التي تتمتع بتزامن عالي للإدخال/الإخراج

3. تنفيذ المراقبة لسجلات توقف النواة والإعادة غير المتوقعة للنظام

إرشادات التصحيح:

1. تطبيق أحدث تصحيح نواة لينكس يتضمن إصلاح F2FS compression write-end-io

2. لإصدارات النواة 7.1-rc1 والإصدارات الأحدث، قم بالتحديث إلى الإصدارات المصححة فوراً

3. اختبر التصحيحات في بيئات غير الإنتاج قبل النشر

4. جدول نوافذ الصيانة لتحديثات النواة على الأنظمة الحرجة

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تعطيل ضغط F2FS إذا لم يكن حرجاً للعمليات (mount مع -o compress_algorithm=none)

2. تقليل عمليات الإدخال/الإخراج المتزامنة لتقليل نافذة حالة السباق

3. تنفيذ مؤقتات watchdog للكشف عن العمليات المعلقة وإعادة تشغيلها

4. تفعيل تفريغ توقف النواة (kdump) لتحليل ما بعد الحادث

قواعد الكشف:

1. مراقبة سجلات النواة بحثاً عن: 'use-after-free', 'page_array_slab', 'f2fs_compress_write_end_io'

2. تنبيه على توقف النواة غير المتوقع أو رسائل BUG المتعلقة بـ F2FS

3. تتبع شذوذ وقت التشغيل الذي يشير إلى توقفات متكررة

4. مراقبة مؤشرات تلف الذاكرة في سجلات dmesg

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.3.1 - Configuration management

🔵 SAMA CSF

SAMA CSF ID.BE-5.2 - Cybersecurity risk management processes SAMA CSF PR.IP-12 - Software, firmware, and information integrity mechanisms SAMA CSF DE.CM-8 - Vulnerability scans are performed

🟡 ISO 27001:2022

ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Secure development, acceptance and testing ISO 27001:2022 A.12.3.1 - Configuration management

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Ensure all system components and software are protected from known vulnerabilities

🔗 References & Sources 5

🔗

https://git.kernel.org/stable/c/2c97dcb6147c8f7f25c629b93be1e69617de5d4a

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/39d4ee19c1e7d753dd655aebee632271b171f43a

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/c76cf339b87975ae5b2c06d2d774d5667d25a12a

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/ef57cd3329b40c739b9a2e1a8a21ecc4171c6280

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/f5154cf3ce1c8193f0c1891d3769f62740cfe6fe

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

📦 Affected Products / CPE 6 entries

linux:linux_kernel

linux:linux_kernel:7.1

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-416

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-05-01

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-416

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-31702

💬 Comments

Introduce Yourself

Sign In Required