CVE-2026-43349 (GCVE-0-2026-43349)

Vulnerability from cvelistv5 – Published: 2026-05-08 13:41 – Updated: 2026-05-08 13:41
VLAI?
Title
f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer
Summary
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer syzbot reported a f2fs bug as below: BUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520 f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177 f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1 bio_endio+0x1006/0x1160 block/bio.c:1792 submit_bio_noacct+0x533/0x2960 block/blk-core.c:891 submit_bio+0x57a/0x620 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557 f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775 read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481 __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576 f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623 do_read_inode fs/f2fs/inode.c:425 [inline] f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596 f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184 get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694 get_tree_bdev+0x38/0x50 fs/super.c:1717 f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436 vfs_get_tree+0xb3/0x5d0 fs/super.c:1754 fc_mount fs/namespace.c:1193 [inline] do_new_mount_fc fs/namespace.c:3763 [inline] do_new_mount+0x885/0x1dd0 fs/namespace.c:3839 path_mount+0x7a2/0x20b0 fs/namespace.c:4159 do_mount fs/namespace.c:4172 [inline] __do_sys_mount fs/namespace.c:4361 [inline] __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338 __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338 x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is: in f2fs_finish_read_bio(), we may access uninit data in folio if we failed to read the data from device into folio, let's add a check condition to avoid such issue.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 855c54f1803e3ebc613677b4f389c7f92656a1fc , < 59970b2586fef4b13e96527b9d232bed30b640cd (git)
Affected: 50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4 , < a10b89343d41ceee1af0ec38d3a74e526c77fa09 (git)
Affected: 50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4 , < 7b9161a605e91d0987e2596a245dc1f21621b23f (git)
Affected: c386753db52b3a80afa6612bfdcb925aa5ca260f (git)
Create a notification for this product.
    Linux Linux Affected: 7.0
Unaffected: 0 , < 7.0 (semver)
Unaffected: 6.18.25 , ≤ 6.18.* (semver)
Unaffected: 7.0.2 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "59970b2586fef4b13e96527b9d232bed30b640cd",
              "status": "affected",
              "version": "855c54f1803e3ebc613677b4f389c7f92656a1fc",
              "versionType": "git"
            },
            {
              "lessThan": "a10b89343d41ceee1af0ec38d3a74e526c77fa09",
              "status": "affected",
              "version": "50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4",
              "versionType": "git"
            },
            {
              "lessThan": "7b9161a605e91d0987e2596a245dc1f21621b23f",
              "status": "affected",
              "version": "50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c386753db52b3a80afa6612bfdcb925aa5ca260f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "7.0"
            },
            {
              "lessThan": "7.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.25",
                  "versionStartIncluding": "6.18.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.2",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "7.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.19.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer\n\nsyzbot reported a f2fs bug as below:\n\nBUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520\n f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520\n f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177\n f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1\n bio_endio+0x1006/0x1160 block/bio.c:1792\n submit_bio_noacct+0x533/0x2960 block/blk-core.c:891\n submit_bio+0x57a/0x620 block/blk-core.c:926\n blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline]\n f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557\n f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775\n read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481\n __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576\n f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623\n do_read_inode fs/f2fs/inode.c:425 [inline]\n f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596\n f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184\n get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694\n get_tree_bdev+0x38/0x50 fs/super.c:1717\n f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436\n vfs_get_tree+0xb3/0x5d0 fs/super.c:1754\n fc_mount fs/namespace.c:1193 [inline]\n do_new_mount_fc fs/namespace.c:3763 [inline]\n do_new_mount+0x885/0x1dd0 fs/namespace.c:3839\n path_mount+0x7a2/0x20b0 fs/namespace.c:4159\n do_mount fs/namespace.c:4172 [inline]\n __do_sys_mount fs/namespace.c:4361 [inline]\n __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338\n x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is: in f2fs_finish_read_bio(), we may access uninit data\nin folio if we failed to read the data from device into folio, let\u0027s add\na check condition to avoid such issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T13:41:52.611Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/59970b2586fef4b13e96527b9d232bed30b640cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/a10b89343d41ceee1af0ec38d3a74e526c77fa09"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b9161a605e91d0987e2596a245dc1f21621b23f"
        }
      ],
      "title": "f2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43349",
    "datePublished": "2026-05-08T13:41:52.611Z",
    "dateReserved": "2026-05-01T14:12:56.003Z",
    "dateUpdated": "2026-05-08T13:41:52.611Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43349",
      "date": "2026-05-09",
      "epss": "0.00017",
      "percentile": "0.04127"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43349\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T14:16:44.997\",\"lastModified\":\"2026-05-08T14:16:44.997\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nf2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer\\n\\nsyzbot reported a f2fs bug as below:\\n\\nBUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520\\n f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520\\n f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177\\n f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1\\n bio_endio+0x1006/0x1160 block/bio.c:1792\\n submit_bio_noacct+0x533/0x2960 block/blk-core.c:891\\n submit_bio+0x57a/0x620 block/blk-core.c:926\\n blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline]\\n f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557\\n f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775\\n read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481\\n __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576\\n f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623\\n do_read_inode fs/f2fs/inode.c:425 [inline]\\n f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596\\n f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184\\n get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694\\n get_tree_bdev+0x38/0x50 fs/super.c:1717\\n f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436\\n vfs_get_tree+0xb3/0x5d0 fs/super.c:1754\\n fc_mount fs/namespace.c:1193 [inline]\\n do_new_mount_fc fs/namespace.c:3763 [inline]\\n do_new_mount+0x885/0x1dd0 fs/namespace.c:3839\\n path_mount+0x7a2/0x20b0 fs/namespace.c:4159\\n do_mount fs/namespace.c:4172 [inline]\\n __do_sys_mount fs/namespace.c:4361 [inline]\\n __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338\\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338\\n x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166\\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\\n do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94\\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\\n\\nThe root cause is: in f2fs_finish_read_bio(), we may access uninit data\\nin folio if we failed to read the data from device into folio, let\u0027s add\\na check condition to avoid such issue.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/59970b2586fef4b13e96527b9d232bed30b640cd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/7b9161a605e91d0987e2596a245dc1f21621b23f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a10b89343d41ceee1af0ec38d3a74e526c77fa09\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.