Use After Free Vulnerability in Linux Kernel's f2fs File System
CVE-2026-31715

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-31715?

A vulnerability in the f2fs (Flash-Friendly File System) component of the Linux kernel can lead to a use-after-free condition that results in a NULL pointer dereference. This issue manifests during concurrent operations involving the f2fs_write_checkpoint and the unmounting of the filesystem, potentially causing an application or system panic. The root cause occurs when the decrement operation on page count is executed after the inode is set to NULL, creating a scenario where access to a freed resource is attempted. The recent patch addresses this vulnerability effectively by restructuring the order of operations, thus ensuring that the checks for valid pointers happen before any potential frees are executed.

Affected Version(s)

Linux 50fa53eccf9f911a5b435248a2b0bd484fd82e5e < 963d2e24d9d92a31e6773b0f642214f10013ebf7

Linux 50fa53eccf9f911a5b435248a2b0bd484fd82e5e < 188bb65f247a7a7c62f287c9a263aee3cad96fa5

Linux 50fa53eccf9f911a5b435248a2b0bd484fd82e5e < 2d9c4a4ed4eef1f82c5b16b037aee8bad819fd53

References

https://git.kernel.org/stable/c/963d2e24d9d92a31e6773b0f6...

https://git.kernel.org/stable/c/188bb65f247a7a7c62f287c9a...

https://git.kernel.org/stable/c/2d9c4a4ed4eef1f82c5b16b03...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31715 Data

JSON