CVE-2026-23234
Published: 04 March 2026
Summary
CVE-2026-23234 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-23234 is a use-after-free vulnerability in the Linux kernel's F2FS filesystem implementation, specifically within the f2fs_write_end_io() function. The issue arises from a race condition between a loop device worker thread processing I/O requests and an umount operation. During this race, the superblock info structure (sbi) is freed in kill_f2fs_super() via f2fs_put_super(), but a subsequent access to the freed sbi occurs when get_pages() is called for F2FS_WB_CP_DATA pages after folio_end_writeback(). The vulnerability was reported by syzbot and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-416.
A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the race condition, likely through concurrent loop device I/O and filesystem unmount operations, leading to use-after-free of the sbi structure. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, arbitrary code execution in kernel context, or system denial of service.
The provided kernel stable commit references detail the mitigation, which relocates the checkpoint (ckpt) thread wakeup flow before folio_end_writeback() in f2fs_write_end_io() to ensure safe access to sbi after all page caches are dropped in kill_f2fs_super(). Security practitioners should apply these patches from the Linux kernel stable trees to affected versions.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9406
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work -…
more
do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback(). Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in F2FS enables direct exploitation for privilege escalation to root via arbitrary kernel code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the use-after-free vulnerability by requiring timely patching of the Linux kernel to relocate the ckpt thread wakeup in f2fs_write_end_io(), preventing the race during umount.
Provides runtime memory protections like KASLR, SMEP/SMAP, and supervisor mode execution prevention to mitigate exploitation of the sbi use-after-free for code execution or corruption.
Vulnerability scanning and monitoring identify affected Linux kernel versions exposed to CVE-2026-23234, enabling proactive flaw remediation.