CVE-2026-23233
Published: 04 March 2026
Summary
CVE-2026-23233 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23233 is a vulnerability in the Linux kernel's F2FS filesystem implementation, specifically in the check_swap_activate() function within fs/f2fs/data.c. It affects kernel versions 6.6 and later when using an F2FS-formatted partition with a swapfile smaller than the F2FS section size of 2MB that has a fragmented physical layout involving multiple non-contiguous extents. The issue causes incorrect mapping of physical blocks during swapfile activation: if the first extent is unaligned to section boundaries, the code prematurely treats it as the last extent, maps only the initial portion, and fails to process subsequent extents, leading to swap writes overwriting data in incorrect physical locations belonging to other files.
A local attacker with low privileges (PR:L) on an affected system can exploit this by creating a qualifying swapfile on an F2FS partition and activating it, such as through stress-ng's swap stress test. This triggers data corruption, manifesting as dm-verity corruption errors causing device reboots or F2FS node corruption errors resulting in boot hangs. The vulnerability yields high impacts on confidentiality, integrity, and availability (CVSS 7.8: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), classified under CWE-787 for out-of-bounds writes, as corrupted mappings enable overwriting arbitrary filesystem data.
Kernel stable patch commits, such as 1ff415eef513bf12deb058fc50d57788c46c48e6 and others listed in the references, resolve the issue by ensuring block mapping information is looked up after migrating all blocks in the tail of the swapfile, allowing proper processing of subsequent extents even after alignment adjustments. Security practitioners should apply these upstream patches to vulnerable kernels and avoid using small, fragmented swapfiles on F2FS until mitigation. The bug was reported via Bugzilla (ID 220951) and reproduced on Android devices with F2FS userdata partitions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9405
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical block for swapfile Xiaolong Guo reported a f2fs bug in bugzilla [1] [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 Quoted: "When using stress-ng's swap stress test on F2FS…
more
filesystem with kernel 6.6+, the system experiences data corruption leading to either: 1 dm-verity corruption errors and device reboot 2 F2FS node corruption errors and boot hangs The issue occurs specifically when: 1 Using F2FS filesystem (ext4 is unaffected) 2 Swapfile size is less than F2FS section size (2MB) 3 Swapfile has fragmented physical layout (multiple non-contiguous extents) 4 Kernel version is 6.6+ (6.1 is unaffected) The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the first extent of a small swapfile (< 2MB) is not aligned to section boundaries, the function incorrectly treats it as the last extent, failing to map subsequent extents. This results in incorrect swap_extent creation where only the first extent is mapped, causing subsequent swap writes to overwrite wrong physical locations (other files' data). Steps to Reproduce 1 Setup a device with F2FS-formatted userdata partition 2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng 3 Run swap stress test: (Android devices) adb shell "cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60 --swap 0" Log: 1 Ftrace shows in kernel 6.6, only first extent is mapped during second f2fs_map_blocks call in check_swap_activate(): stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start blkaddr=0x43143, len=0x1 (Only 4KB mapped, not the full swapfile) 2 in kernel 6.1, both extents are correctly mapped: stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start blkaddr=0x13cd4, len=0x1 stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start blkaddr=0x60c84b, len=0xff The problematic code is in check_swap_activate(): if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || nr_pblocks % blks_per_sec || !f2fs_valid_pinned_area(sbi, pblock)) { bool last_extent = false; not_aligned++; nr_pblocks = roundup(nr_pblocks, blks_per_sec); if (cur_lblock + nr_pblocks > sis->max) nr_pblocks -= blks_per_sec; /* this extent is last one */ if (!nr_pblocks) { nr_pblocks = last_lblock - cur_lblock; last_extent = true; } ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks); if (ret) { if (ret == -ENOENT) ret = -EINVAL; goto out; } if (!last_extent) goto retry; } When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec) exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The code then incorrectly assumes this is the last extent, sets nr_pblocks = last_lblock - cur_lblock (entire swapfile), and performs migration. After migration, it doesn't retry mapping, so subsequent extents are never processed. " In order to fix this issue, we need to lookup block mapping info after we migrate all blocks in the tail of swapfile.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel out-of-bounds write via crafted swapfile on F2FS enables arbitrary filesystem data overwrite (T1485 Data Destruction) and is commonly leveraged for local privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly addressing this kernel bug by applying the upstream patches that fix incorrect F2FS swapfile block mapping.
RA-5 mandates vulnerability scanning and monitoring to identify CVE-2026-23233 in affected kernel versions 6.6+, enabling proactive remediation.
SI-7 enforces software, firmware, and information integrity monitoring to detect data corruption from swap writes overwriting incorrect physical blocks on F2FS.