PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23265 Linux CVE debrief

A vulnerability in the Linux kernel's F2FS (Flash-Friendly File System) allows a corrupted filesystem image to trigger a kernel BUG() panic during node page I/O completion. The issue occurs when a fuzzed or maliciously crafted F2FS image contains a node page whose footer.nid field does not match the page's expected node ID (nid). Under normal read paths, sanity checks catch this inconsistency, but asynchronous readahead operations (f2fs_ra_node_pages() and f2fs_ra_node_page()) bypass these checks. Once the corrupted node page is loaded and subsequently dirtied, the writeback path in f2fs_write_end_io() detects the mismatch and invokes BUG(), causing a kernel panic. This results in a local denial-of-service condition. The vulnerability affects Linux kernel versions from 3.8 through 6.18.12 and from 6.19 through 6.19.2. The fix adds sanity checks on the node footer within the {read,write}_end_io functions to catch corruption before it can trigger the BUG().

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-29
Advisory published
2026-03-18
Advisory updated
2026-05-29

Who should care

Linux system administrators running F2FS on endpoints or servers; embedded and mobile device vendors using F2FS for flash storage; security teams monitoring for local denial-of-service vectors in kernel filesystem code; and organizations allowing untrusted filesystem images to be mounted.

Technical summary

In the Linux kernel's F2FS filesystem, asynchronous node page readahead functions (f2fs_ra_node_pages, f2fs_ra_node_page) do not perform sanity checks on the node footer before loading pages. If a corrupted or fuzzed F2FS image contains a node page where footer.nid mismatches the expected nid, this corruption propagates through to writeback. The f2fs_write_end_io() function detects the inconsistency and triggers BUG() at fs/f2fs/data.c:358, causing a kernel panic. The fix introduces sanity checks in both read_end_io and write_end_io to validate the node footer before processing, preventing the panic condition.

Defensive priority

medium

Recommended defensive actions

  • Apply the relevant stable kernel patch from the Linux kernel stable tree to add node footer sanity checks in F2FS read and write end I/O paths.
  • Upgrade to Linux kernel 6.18.13 or later, or 6.19.3 or later, where this vulnerability is resolved.
  • If running custom or long-term support kernels, backport the patch adding sanity checks on node footer in {read,write}_end_io functions in fs/f2fs/data.c.
  • Restrict untrusted user access to mount F2FS filesystems from unknown or potentially fuzzed images, as local access to a malicious image is required to trigger this condition.
  • Monitor for kernel panics in F2FS writeback paths as potential indicators of exploitation attempts against this vulnerability.

Evidence notes

The vulnerability description and patch references are drawn from the NVD record for CVE-2026-23265, published 2026-03-18 and last modified 2026-05-29. The call trace and technical analysis of the BUG() at fs/f2fs/data.c:358, the inconsistency between node page index and footer.nid, and the bypass of sanity checks in async readahead paths are all sourced directly from the CVE description. Affected version ranges (3.8 to before 6.18.13, and 6.19 to before 6.19.3) are derived from the CPE criteria in the NVD source data. Three kernel.org stable patches are referenced as mitigation sources.

Official resources

2026-03-18T18:16:25.233Z