PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31715 Linux CVE debrief

CVE-2026-31715 is a Linux kernel F2FS bug where concurrent writeback completion and unmount can race in a way that leaves sbi->node_inode NULL before f2fs_in_warm_node_list() checks it. The result is a NULL pointer dereference / panic and a use-after-free class flaw mapped by NVD to CWE-416. NVD rates the issue 7.8 HIGH and describes it as locally reachable with low privileges and no user interaction. The fix moves the warm-node check before decrementing sbi->nr_pages[F2FS_WB_CP_DATA], preventing the unsafe access path.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-01
Original CVE updated
2026-05-17
Advisory published
2026-05-01
Advisory updated
2026-05-17

Who should care

Linux kernel maintainers, distro security teams, storage/platform operators, and anyone running F2FS-backed systems—especially workloads that do writeback while mounting/unmounting filesystems or run automated filesystem tests.

Technical summary

The supplied kernel description shows a race between f2fs_write_end_io() and umount/kill_f2fs_super() paths. On the writeback side, blk_mq_end_request() -> bio_endio() -> f2fs_write_end_io() decrements sbi->nr_pages[F2FS_WB_CP_DATA] and wakes cp_wait. On the unmount side, f2fs_put_super() drops sbi->node_inode with iput() and sets it to NULL. If the decrement reaches zero before f2fs_in_warm_node_list() runs, is_node_folio() may dereference the now-NULL node_inode. The patch changes the order so f2fs_in_warm_node_list() runs before decrementing the page count.

Defensive priority

High. This is a kernel memory-safety race that can crash the system, and the NVD entry marks it HIGH severity with local, low-privilege requirements. Prioritize patched kernel deployment on any system using F2FS, especially production hosts where a panic would cause service interruption.

Recommended defensive actions

  • Deploy a kernel build that includes the referenced fix commits from the stable.kernel.org links in the NVD record.
  • If you maintain a distro or fleet, verify the backport landed in your vendor kernel rather than relying only on upstream version numbers.
  • Prioritize F2FS-enabled systems and hosts that perform frequent mount/unmount or filesystem-testing activity.
  • Track the CVE in your vulnerability management system and confirm remediation against the affected version criteria published by NVD.
  • Where immediate patching is not possible, reduce exposure by limiting local access to affected hosts and minimizing untrusted local workloads.

Evidence notes

Primary evidence comes from the CVE description supplied with the NVD record dated 2026-05-01T14:16:21.637Z and modified 2026-05-17T16:16:16.180Z. The description explicitly states the race, the NULL pointer dereference, and the fix order change in f2fs_write_end_io(). NVD maps the issue to CWE-416 and CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The NVD CPE criteria in the supplied source mark Linux kernel versions starting at 4.19 and 6.19, plus 7.1-rc1, as vulnerable within the listed end bounds. Patch-related kernel references are included in the NVD metadata as stable.kernel.org links, but this debrief does not infer any additional behavior beyond the supplied text.

Official resources

CVE published at 2026-05-01T14:16:21.637Z and last modified at 2026-05-17T16:16:16.180Z. No KEV entry is present in the supplied enrichment.