CVE-2026-46194

{"id": "CVE-2026-46194", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2026-05-28T10:16:35.033", "references": [{"url": "https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix node_cnt race between extent node destroy and writeback\n\nf2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing\nextent nodes. When called from f2fs_drop_inode() with I_SYNC set,\nconcurrent kworker writeback can insert new extent nodes into the same\nextent tree, racing with the destroy and triggering f2fs_bug_on() in\n__destroy_extent_node(). The scenario is as follows:\n\ndrop inode writeback\n - iput\n - f2fs_drop_inode // I_SYNC set\n - f2fs_destroy_extent_node\n - __destroy_extent_node\n - while (node_cnt) {\n write_lock(&et->lock)\n __free_extent_tree\n write_unlock(&et->lock)\n - __writeback_single_inode\n - f2fs_outplace_write_data\n - f2fs_update_read_extent_cache\n - __update_extent_tree_range\n // FI_NO_EXTENT not set,\n // insert new extent node\n } // node_cnt == 0, exit while\n - f2fs_bug_on(node_cnt) // node_cnt > 0\n\nAdditionally, __update_extent_tree_range() only checks FI_NO_EXTENT for\nEX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.\n\nThis patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),\nconsistent with other callers (__update_extent_tree_range and\n__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and\nEX_BLOCK_AGE tree."}], "lastModified": "2026-06-10T19:19:50.537", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4CBDA1A-C1EF-4EE5-9B1F-78E5ED0E4C0F", "versionEndExcluding": "6.6.140", "versionStartIncluding": "6.6.66"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F2C6E611-626C-4172-A00D-2E12CF6E8D5E", "versionEndExcluding": "6.12.88", "versionStartIncluding": "6.12.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF39AE08-AE6D-4410-8FBE-76F6BF5BF55B", "versionEndExcluding": "6.18.30", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0893CA7-9AE6-4DFE-AC75-48967D73AD8E", "versionEndExcluding": "7.0.7", "versionStartIncluding": "6.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}