Linux Kernel, Use-After-Free, CVE-2026-23234 (Critical)

Listen to this Post

CVE-2026-23234 is a use-after-free vulnerability in the `f2fs` (Flash-Friendly File System) component of the Linux kernel, specifically within the I/O completion handler `f2fs_write_end_io()` . The issue was discovered by syzbot, a kernel fuzzer, and arises from a race condition between the unmount of an f2fs filesystem and the completion of asynchronous write I/Os, often triggered via a loop device . When a loop device processes a write request, it eventually calls `f2fs_write_end_io()` upon I/O completion. Concurrently, if the filesystem is unmounted (kill_f2fs_super), the superblock info structure (sbi) is freed . The race occurs because `f2fs_write_end_io()` accesses `sbi` (to decrement page counts and potentially wake waiters) after marking the I/O as complete with `folio_end_writeback()` . Once `folio_end_writeback()` is called, the unmount path can proceed to free the `sbi` memory. If the write completion handler then attempts to access the freed `sbi` (e.g., to check `get_pages` or wake the checkpoint thread), a use-after-free occurs, leading to a kernel crash or potential privilege escalation . The fix implemented in the kernel relocates the wakeup and access operations to occur strictly before folio_end_writeback(), or introduces a `synchronize_rcu()` call to ensure all outstanding RCU callbacks (in which softirq contexts run) are complete before the memory is freed .

dailycve form:

Platform: Linux Kernel
Version: 6.18.13, 6.19.6
Vulnerability :Use-After-Free
Severity: Critical
date: 2026-03-04

Prediction: Patched within 2 weeks

What Undercode Say:

Analytics

The vulnerability requires local access and the ability to mount a crafted f2fs filesystem via a loop device, making it a moderate-complexity local privilege escalation (LPE) vector. Systems utilizing f2fs on loopback devices for containerization or snapshot management are most at risk. The `syzbot` reproducer indicates the race is triggerable under specific I/O load and unmount timing, suggesting it is exploitable for denial-of-service and potentially for arbitrary code execution if an attacker can control the freed memory structure.

Bash Commands and Codes

Check if your current kernel is vulnerable:

uname -r

Check if the `f2fs` module is loaded:

lsmod | grep f2fs

Check dmesg for indications of the vulnerability or a related crash:

dmesg | grep -i "f2fs_write_end_io|KASAN.f2fs"

Example of a manual test to trigger the race (for research purposes only):

Create a loop device with f2fs
dd if=/dev/zero of=/tmp/f2fs.img bs=1M count=100
sudo losetup /dev/loop0 /tmp/f2fs.img
sudo mkfs.f2fs /dev/loop0
mkdir /tmp/mnt
sudo mount -t f2fs /dev/loop0 /tmp/mnt
Simulate I/O load and rapid unmount (potential race trigger)
while true; do sudo dd if=/dev/zero of=/tmp/mnt/test bs=4k count=1000 oflag=direct & sudo umount /tmp/mnt; sudo mount /dev/loop0 /tmp/mnt; done

How Exploit

No public exploit code has been released, but the syzbot report provides a detailed crash log and reproducer . Exploitation would involve winning a race condition where a kernel object (sbi) is accessed after being freed. A local attacker could attempt to spray the kernel heap to place controlled data in the freed memory slot before the dangling pointer is used, potentially hijacking control flow.

Protection from this CVE

Update the Linux kernel to a patched version (e.g., 6.18.13-1 or 6.19.6-1 for Debian, or equivalent for other distributions) . As a temporary mitigation, avoid using f2fs on loop devices if possible, or ensure all I/O is complete before unmounting:

sync && umount /path/to/mount

Impact

Successful exploitation leads to a kernel panic (denial of service) or, in the worst case, arbitrary code execution with kernel privileges, allowing an attacker to compromise the entire system. The vulnerability affects multiple long-term support (LTS) kernels and distributions .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top