PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46194 Linux CVE debrief

A race condition in the Linux kernel's F2FS (Flash-Friendly File System) extent tree management can trigger a kernel bug check (f2fs_bug_on) during inode destruction. The vulnerability occurs when f2fs_destroy_extent_node() clears extent nodes without first setting the FI_NO_EXTENT flag, allowing concurrent writeback operations to insert new extent nodes into the same tree. This race leaves the node count inconsistent, causing a failed assertion when the destruction loop completes. Additionally, EX_BLOCK_AGE extent tree updates were not protected by FI_NO_EXTENT checks, leaving a secondary path for similar races. The fix sets FI_NO_EXTENT under the extent tree lock during destruction and extends the flag check to both EX_READ and EX_BLOCK_AGE tree types.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations running Linux systems with F2FS filesystems, particularly those with workloads involving high inode turnover and concurrent writeback activity; kernel maintainers and distribution security teams tracking stable kernel updates

Technical summary

The F2FS filesystem maintains per-inode extent trees for read and block-age tracking. When an inode is dropped (f2fs_drop_inode), the extent tree is destroyed via f2fs_destroy_extent_node(). The original code did not set FI_NO_EXTENT before entering the destruction loop, and released et->lock between iterations. Concurrent writeback (via kworker) could then acquire the lock, observe FI_NO_EXTENT unset, and insert new nodes via __update_extent_tree_range(). This incremented node_cnt after the destruction loop had observed it as zero, triggering f2fs_bug_on(node_cnt) in __destroy_extent_node(). The fix moves FI_NO_EXTENT setting under et->lock within the destruction loop and extends the check to EX_BLOCK_AGE trees, matching the protection pattern used in __update_extent_tree_range and __drop_extent_tree.

Defensive priority

high

Recommended defensive actions

  • Apply the relevant stable kernel patch from the Linux kernel stable tree once available for your distribution
  • Monitor distribution-specific security advisories for kernel updates addressing CVE-2026-46194
  • If running custom F2FS workloads with high inode churn and concurrent writeback, consider testing kernel behavior under load after patching
  • Review system logs for f2fs_bug_on assertions as potential indicators of this race condition having occurred

Evidence notes

The CVE description provides a detailed execution trace showing the interleaving of drop inode and writeback paths. Five kernel.org stable tree commits are referenced, indicating backports to multiple kernel versions. The vulnerability is classified as resolved in the Linux kernel. No CVSS score or severity is currently assigned by NVD (status: Awaiting Analysis).

Official resources

2026-05-28