HOMEVULNERABILITIESCVE-2026-23267
NONE

CVE-2026-23267

Published: March 18, 2026· Updated: Mar 19, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.3th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix IS_CHECKPOINTED flag inconsistency issue caused by concurrent atomic commit and checkpoint writes

During SPO tests, when mounting F2FS, an -EINVAL error was returned from

f2fs_recover_inode_page. The issue occurred under the following scenario

Thread A Thread B

f2fs_ioc_commit_atomic_write

- f2fs_do_sync_file // atomic = true

- f2fs_fsync_node_pages

: last_folio = inode folio

: schedule before folio_lock(last_folio) f2fs_write_checkpoint

- block_operations// writeback last_folio

- schedule before f2fs_flush_nat_entries

: set_fsync_mark(last_folio, 1)

: set_dentry_mark(last_folio, 1)

: folio_mark_dirty(last_folio)

- __write_node_folio(last_folio)

: f2fs_down_read(&sbi->node_write)//block

- f2fs_flush_nat_entries

: {struct nat_entry}->flag |= BIT(IS_CHECKPOINTED)

- unblock_operations

: f2fs_up_write(&sbi->node_write)

f2fs_write_checkpoint//return

: f2fs_do_write_node_page()

f2fs_ioc_commit_atomic_write//return

SPO

Thread A calls f2fs_need_dentry_mark(sbi, ino), and the last_folio has

already been written once. However, the {struct nat_entry}->flag did not

have the IS_CHECKPOINTED set, causing set_dentry_mark(last_folio, 1) and

write last_folio again after Thread B finishes f2fs_write_checkpoint.

After SPO and reboot, it was detected that {struct node_info}->blk_addr

was not NULL_ADDR because Thread B successfully write the checkpoint.

This issue only occurs in atomic write scenarios. For regular file

fsync operations, the folio must be dirty. If

block_operations->f2fs_sync_node_pages successfully submit the folio

write, this path will not be executed. Otherwise, the

f2fs_write_checkpoint will need to wait for the folio write submission

to complete, as sbi->nr_pages[F2FS_DIRTY_NODES] > 0. Therefore, the

situation where f2fs_need_dentry_mark checks that the {struct

nat_entry}->flag /wo the IS_CHECKPOINTED flag, but the folio write has

already been submitted, will not occur.

Therefore, for atomic file fsync, sbi->node_write should be acquired

through __write_node_folio to ensure that the IS_CHECKPOINTED flag

correctly indicates that the checkpoint write has been completed.

NVD Source

Technical Analysis

CVE-2026-23267 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-23267
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 18, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23267 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.