Vulnerabilities ›

CVE-2026-31715

High

CWE-416 — Weakness Type

                    Published: May 1, 2026                      ·  Modified: May 8, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix UAF caused by decrementing sbi->nr_pages[] in f2fs_write_end_io()

The xfstests case "generic/107" and syzbot have both reported a NULL
pointer dereference.

The concurrent scenario that triggers the panic is as follows:

F2FS_WB_CP_DATA write callback umount
- f2fs_write_checkpoint
- f2fs_wait_on_all_pages(sbi, F2FS_WB_CP_DATA)
- blk_mq_end_request
- bio_endio
- f2fs_write_end_io
: dec_page_count(sbi, F2FS_WB_CP_DATA)
: wake_up(&sbi->cp_wait)
- kill_f2fs_super
- kill_block_super
- f2fs_put_super
: iput(sbi->node_inode)
: sbi->node_inode = NULL
: f2fs_in_warm_node_list
- is_node_folio // sbi->node_inode is NULL and panic

The root cause is that f2fs_put_super() calls iput(sbi->node_inode) and
sets sbi->node_inode to NULL after sbi->nr_pages[F2FS_WB_CP_DATA] is
decremented to zero. As a result, f2fs_in_warm_node_list() may
dereference a NULL node_inode when checking whether a folio belongs to
the node inode, leading to a panic.

This patch fixes the issue by calling f2fs_in_warm_node_list() before
decrementing sbi->nr_pages[F2FS_WB_CP_DATA], thus preventing the
use-after-free condition.

🤖 AI Executive Summary

CVE-2026-31715 is a use-after-free (UAF) vulnerability in the Linux kernel's F2FS filesystem that causes NULL pointer dereference during concurrent write operations and unmount. The vulnerability occurs when f2fs_write_end_io() decrements page counters after f2fs_put_super() has already freed the node_inode pointer, leading to kernel panic. This affects systems running vulnerable Linux kernel versions with F2FS filesystem support.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 7, 2026 03:48

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi government and enterprise servers running Linux with F2FS filesystem, particularly those in ARAMCO's infrastructure, NCA data centers, and SAMA banking systems that utilize Linux-based storage solutions. The kernel panic can cause denial of service, affecting critical infrastructure availability. Organizations using F2FS for high-performance storage in cloud environments, data centers, and enterprise servers are at highest risk. The vulnerability is particularly concerning for Saudi telecommunications providers (STC, Mobily) and financial institutions relying on Linux-based infrastructure.

🏢 Affected Saudi Sectors

Government Banking and Financial Services Energy and Utilities Telecommunications Healthcare Data Centers and Cloud Services

🎯 MITRE ATT&CK Techniques

T1499 - Denial of Service T1561 - Disk Wipe T1529 - System Shutdown/Reboot

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify systems running Linux kernel versions 7.1-rc1 and earlier with F2FS filesystem support using 'uname -r' and 'cat /proc/filesystems'

2. Disable F2FS filesystem if not critical to operations; use ext4 or other filesystems as temporary workaround

3. Implement monitoring for kernel panic logs related to f2fs_in_warm_node_list()



Patching Guidance:

1. Apply the official Linux kernel patch that reorders f2fs_in_warm_node_list() call before sbi->nr_pages[] decrement

2. Update to patched kernel version (7.1-rc2 or later when available)

3. Test patches in non-production environment before deployment

4. Schedule maintenance window for kernel update and system reboot



Compensating Controls:

1. Implement watchdog timers to automatically restart services on kernel panic

2. Enable kernel crash dump collection (kdump) for forensic analysis

3. Monitor system logs for f2fs-related errors: 'grep -i f2fs /var/log/kern.log'

4. Implement filesystem health checks before critical operations



Detection Rules:

1. Alert on kernel panic messages containing 'f2fs_in_warm_node_list' or 'node_inode'

2. Monitor for concurrent F2FS write operations during system shutdown

3. Track syslog entries: 'BUG: unable to handle page fault for address'

4. Implement YARA rule for kernel memory dumps showing UAF patterns in F2FS code

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد الأنظمة التي تقوم بتشغيل إصدارات نواة Linux 7.1-rc1 والإصدارات الأقدم مع دعم نظام ملفات F2FS باستخدام 'uname -r' و 'cat /proc/filesystems'

2. تعطيل نظام ملفات F2FS إذا لم يكن حرجاً للعمليات؛ استخدم ext4 أو أنظمة ملفات أخرى كحل مؤقت

3. تنفيذ المراقبة لسجلات توقف النواة المتعلقة بـ f2fs_in_warm_node_list()

إرشادات التصحيح:

1. تطبيق رقعة نواة Linux الرسمية التي تعيد ترتيب استدعاء f2fs_in_warm_node_list() قبل تقليل sbi->nr_pages[]

2. التحديث إلى إصدار نواة مصحح (7.1-rc2 أو أحدث عند توفره)

3. اختبار الرقع في بيئة غير الإنتاج قبل النشر

4. جدولة نافذة صيانة لتحديث النواة وإعادة تشغيل النظام

الضوابط التعويضية:

1. تنفيذ مؤقتات watchdog لإعادة تشغيل الخدمات تلقائياً عند توقف النواة

2. تفعيل جمع تفريغ توقف النواة (kdump) للتحليل الجنائي

3. مراقبة سجلات النظام بحثاً عن أخطاء F2FS: 'grep -i f2fs /var/log/kern.log'

4. تنفيذ فحوصات صحة نظام الملفات قبل العمليات الحرجة

قواعد الكشف:

1. التنبيه على رسائل توقف النواة التي تحتوي على 'f2fs_in_warm_node_list' أو 'node_inode'

2. مراقبة عمليات كتابة F2FS المتزامنة أثناء إيقاف النظام

3. تتبع إدخالات syslog: 'BUG: unable to handle page fault for address'

4. تنفيذ قاعدة YARA لتفريغات ذاكرة النواة التي تظهر أنماط UAF في كود F2FS

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.3.1 - Configuration management

🔵 SAMA CSF

ID.RA-1 - Asset management and vulnerability identification PR.IP-12 - Software development and security practices DE.CM-8 - Vulnerability scans and assessments

🟡 ISO 27001:2022

A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development, acceptance and transition A.12.3.1 - Configuration management

🟣 PCI DSS v4.0.1

Requirement 6.2 - Security patches and updates Requirement 11.2 - Vulnerability scanning

🔗 References & Sources 4

🔗

https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a263aee3cad96fa5

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/7be222de96c0f9eee6e65eeb017ef855ee185cfa

416baaa9-dc9f-4396-8d5f-8c081fb06d67

🔗

https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f642214f10013ebf7

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

📦 Affected Products / CPE 3 entries

linux:linux_kernel

linux:linux_kernel:7.1

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-416

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-05-01

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-416

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-31715

💬 Comments

Introduce Yourself

Sign In Required