Cyber Resilience

CVE-2026-23234

High

Published: 04 March 2026

Published
04 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23234 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-23234 is a use-after-free vulnerability in the Linux kernel's F2FS filesystem implementation, specifically within the f2fs_write_end_io() function. The issue arises from a race condition between a loop device worker thread processing I/O requests and an umount operation. During this race, the superblock info structure (sbi) is freed in kill_f2fs_super() via f2fs_put_super(), but a subsequent access to the freed sbi occurs when get_pages() is called for F2FS_WB_CP_DATA pages after folio_end_writeback(). The vulnerability was reported by syzbot and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-416.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of user interaction requirements. Exploitation involves triggering the race condition, likely through concurrent loop device I/O and filesystem unmount operations, leading to use-after-free of the sbi structure. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as kernel memory corruption, arbitrary code execution in kernel context, or system denial of service.

The provided kernel stable commit references detail the mitigation, which relocates the checkpoint (ckpt) thread wakeup flow before folio_end_writeback() in f2fs_write_end_io() to ensure safe access to sbi after all page caches are dropped in kill_f2fs_super(). Security practitioners should apply these patches from the Linux kernel stable trees to affected versions.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As syzbot reported an use-after-free issue in f2fs_write_end_io(). It is caused by below race condition: loop device umount - worker_thread - loop_process_work -…

more

do_req_filebacked - lo_rw_aio - lo_rw_aio_complete - blk_mq_end_request - blk_update_request - f2fs_write_end_io - dec_page_count - folio_end_writeback - kill_f2fs_super - kill_block_super - f2fs_put_super : free(sbi) : get_pages(, F2FS_WB_CP_DATA) accessed sbi which is freed In kill_f2fs_super(), we will drop all page caches of f2fs inodes before call free(sbi), it guarantee that all folios should end its writeback, so it should be safe to access sbi before last folio_end_writeback(). Let's relocate ckpt thread wakeup flow before folio_end_writeback() to resolve this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in F2FS enables direct exploitation for privilege escalation to root via arbitrary kernel code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
3.13 — 5.10.251 · 5.11 — 5.15.201 · 5.16 — 6.1.164

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability by requiring timely patching of the Linux kernel to relocate the ckpt thread wakeup in f2fs_write_end_io(), preventing the race during umount.

prevent

Provides runtime memory protections like KASLR, SMEP/SMAP, and supervisor mode execution prevention to mitigate exploitation of the sbi use-after-free for code execution or corruption.

prevent

Vulnerability scanning and monitoring identify affected Linux kernel versions exposed to CVE-2026-23234, enabling proactive flaw remediation.

References