{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46194", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.104Z", "datePublished": "2026-05-28T09:36:47.461Z", "dateUpdated": "2026-05-28T09:36:47.461Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-28T09:36:47.461Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix node_cnt race between extent node destroy and writeback\n\nf2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing\nextent nodes. When called from f2fs_drop_inode() with I_SYNC set,\nconcurrent kworker writeback can insert new extent nodes into the same\nextent tree, racing with the destroy and triggering f2fs_bug_on() in\n__destroy_extent_node(). The scenario is as follows:\n\ndrop inode writeback\n - iput\n - f2fs_drop_inode // I_SYNC set\n - f2fs_destroy_extent_node\n - __destroy_extent_node\n - while (node_cnt) {\n write_lock(&et->lock)\n __free_extent_tree\n write_unlock(&et->lock)\n - __writeback_single_inode\n - f2fs_outplace_write_data\n - f2fs_update_read_extent_cache\n - __update_extent_tree_range\n // FI_NO_EXTENT not set,\n // insert new extent node\n } // node_cnt == 0, exit while\n - f2fs_bug_on(node_cnt) // node_cnt > 0\n\nAdditionally, __update_extent_tree_range() only checks FI_NO_EXTENT for\nEX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.\n\nThis patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),\nconsistent with other callers (__update_extent_tree_range and\n__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and\nEX_BLOCK_AGE tree."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/f2fs/extent_cache.c"], "versions": [{"version": "295b50e95e900da31ff237e46e04525fa799b2cf", "lessThan": "42dd1c91f993431d0b399502479d00e6ad1bca71", "status": "affected", "versionType": "git"}, {"version": "924f7dd1e832e4e4530d14711db223d2803f7b61", "lessThan": "ab1eaf9d5c99042f5b0243bf67a06283a4c0757f", "status": "affected", "versionType": "git"}, {"version": "3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343", "lessThan": "b0e4395870eb3441ddc959f6710b5f6ca61aff26", "status": "affected", "versionType": "git"}, {"version": "3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343", "lessThan": "0559a0e962aacbb47519e26ee663be04b72dcb92", "status": "affected", "versionType": "git"}, {"version": "3fc5d5a182f6a1f8bd4dc775feb54c369dd2c343", "lessThan": "ed78aeebef05212ef7dca93bd931e4eff67c113f", "status": "affected", "versionType": "git"}, {"version": "6.6.66", "lessThan": "6.6.140", "status": "affected", "versionType": "semver"}, {"version": "6.12.5", "lessThan": "6.12.88", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/f2fs/extent_cache.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.140", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.88", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.30", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0.7", "lessThanOrEqual": "7.0.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.1-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.66", "versionEndExcluding": "6.6.140"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.5", "versionEndExcluding": "6.12.88"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.1-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71"}, {"url": "https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f"}, {"url": "https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26"}, {"url": "https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92"}, {"url": "https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f"}], "title": "f2fs: fix node_cnt race between extent node destroy and writeback", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix node_cnt race between extent node destroy and writeback\n\nf2fs_destroy_extent_node() does not set FI_NO_EXTENT before clearing\nextent nodes. When called from f2fs_drop_inode() with I_SYNC set,\nconcurrent kworker writeback can insert new extent nodes into the same\nextent tree, racing with the destroy and triggering f2fs_bug_on() in\n__destroy_extent_node(). The scenario is as follows:\n\ndrop inode writeback\n - iput\n - f2fs_drop_inode // I_SYNC set\n - f2fs_destroy_extent_node\n - __destroy_extent_node\n - while (node_cnt) {\n write_lock(&et->lock)\n __free_extent_tree\n write_unlock(&et->lock)\n - __writeback_single_inode\n - f2fs_outplace_write_data\n - f2fs_update_read_extent_cache\n - __update_extent_tree_range\n // FI_NO_EXTENT not set,\n // insert new extent node\n } // node_cnt == 0, exit while\n - f2fs_bug_on(node_cnt) // node_cnt > 0\n\nAdditionally, __update_extent_tree_range() only checks FI_NO_EXTENT for\nEX_READ type, leaving EX_BLOCK_AGE updates completely unprotected.\n\nThis patch set FI_NO_EXTENT under et->lock in __destroy_extent_node(),\nconsistent with other callers (__update_extent_tree_range and\n__drop_extent_tree) and check FI_NO_EXTENT for both EX_READ and\nEX_BLOCK_AGE tree."}], "id": "CVE-2026-46194", "lastModified": "2026-05-28T13:44:01.663", "metrics": {}, "published": "2026-05-28T10:16:35.033", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0559a0e962aacbb47519e26ee663be04b72dcb92"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/42dd1c91f993431d0b399502479d00e6ad1bca71"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ab1eaf9d5c99042f5b0243bf67a06283a4c0757f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b0e4395870eb3441ddc959f6710b5f6ca61aff26"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ed78aeebef05212ef7dca93bd931e4eff67c113f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{"created": "2026-05-28T12:45:06.858229+00:00", "updated": "2026-05-28T12:45:06.858239+00:00", "vendors": [], "weaknesses": ["CWE-362"]}