CVE-2026-46194

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix node cnt race between extent node destroy and writeback

f2fs destroy extent node() does not set FI NO EXTENT before clearing extent nodes. When called from f2fs drop inode() with I SYNC set, concurrent kworker writeback can insert new extent nodes into the same extent tree, racing with the destroy and triggering f2fs bug on() in destroy extent node(). The scenario is as follows:

drop inode writeback

iput
f2fs drop inode // I SYNC set
f2fs destroy extent node
destroy extent node
while (node cnt) { write lock(&et->lock) free extent tree write unlock(&et->lock) - writeback single inode - f2fs outplace write data - f2fs update read extent cache - update extent tree range // FI NO EXTENT not set, // insert new extent node } // node cnt == 0, exit while
f2fs bug on(node cnt) // node cnt > 0

Additionally, update extent tree range() only checks FI NO EXTENT for EX READ type, leaving EX BLOCK AGE updates completely unprotected.

This patch set FI NO EXTENT under et->lock in destroy extent node(), consistent with other callers ( update extent tree range and drop extent tree) and check FI NO EXTENT for both EX READ and EX BLOCK AGE tree.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-46194

Affected Products

Linux

CVE-2026-46194

Related Identifiers

Affected Products

References · 6