CVE-2026-23235
Published: 04 March 2026
Summary
CVE-2026-23235 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 5.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read enables local data collection from kernel memory (T1005); OOB write in kernel sysfs path supports local privilege escalation via exploitation (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix out-of-bounds access in sysfs attribute read/write Some f2fs sysfs attributes suffer from out-of-bounds memory access and incorrect handling of integer values whose size is not 4 bytes. For…
more
example: vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out vm:~# cat /sys/fs/f2fs/vde/carve_out 65537 vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold 1 carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit integer. However, the sysfs interface allows setting it to a value larger than 255, resulting in an out-of-range update. atgc_age_threshold maps to {struct atgc_management}->age_threshold, which is a 64-bit integer, but its sysfs interface cannot correctly set values larger than UINT_MAX. The root causes are: 1. __sbi_store() treats all default values as unsigned int, which prevents updating integers larger than 4 bytes and causes out-of-bounds writes for integers smaller than 4 bytes. 2. f2fs_sbi_show() also assumes all default values are unsigned int, leading to out-of-bounds reads and incorrect access to integers larger than 4 bytes. This patch introduces {struct f2fs_attr}->size to record the actual size of the integer associated with each sysfs attribute. With this information, sysfs read and write operations can correctly access and update values according to their real data size, avoiding memory corruption and truncation.
Deeper analysisAI
CVE-2026-23235 is a vulnerability in the Linux kernel's f2fs (Flash-Friendly File System) implementation, specifically affecting sysfs attribute read and write operations. Certain f2fs sysfs attributes, such as carve_out and atgc_age_threshold, suffer from out-of-bounds memory access and improper handling of integer values whose sizes deviate from 4 bytes. For instance, carve_out, mapped to an 8-bit integer in struct f2fs_sb_info, can be set to values exceeding 255, like 65537, leading to out-of-range updates. Similarly, atgc_age_threshold, a 64-bit integer in struct atgc_management, fails to correctly handle values larger than UINT_MAX, resulting in truncation. The root causes lie in __sbi_store() and f2fs_sbi_show() functions assuming all values are unsigned int (4 bytes), enabling out-of-bounds reads and writes (CWE-125). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability by interacting with affected f2fs sysfs attributes, such as writing oversized values to /sys/fs/f2fs/<device>/carve_out or /sys/fs/f2fs/<device>/atgc_age_threshold. Successful exploitation enables out-of-bounds memory reads and writes, potentially leading to high-impact confidentiality violations through information disclosure or availability disruptions via memory corruption and system crashes. No user interaction is required, and the attack is straightforward given low complexity and local access.
Mitigation requires updating to patched Linux kernel versions, as detailed in the referenced stable branch commits: 3a905e183c047577b154f08a78ac3039e9454703, 438a405fbad6882df0e34b3e1a16839a71f04240, 4ef30b9f1641c9e877792df6b049f1cf507d002d, 6a6c07a9b49e43f0df42d7118fc76aa555c73d98, and 98ea0039dbfdd00e5cc1b9a8afa40434476c0955. These patches introduce a size field in struct f2fs_attr to ensure sysfs operations respect the actual integer sizes, preventing corruption and truncation. Security practitioners should prioritize kernel updates on systems using f2fs filesystems.
Details
- CWE(s)