HOMEVULNERABILITIESCVE-2026-31714
MEDIUM

CVE-2026-31714

Published: May 1, 2026· Updated: May 6, 2026

5.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:4.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix to avoid memory leak in f2fs_rename()

syzbot reported a f2fs bug as below:

BUG: memory leak

unreferenced object 0xffff888127f70830 (size 16):

comm "syz.0.23", pid 6144, jiffies 4294943712

hex dump (first 16 bytes):

3c af 57 72 5b e6 8f ad 6e 8e fd 33 42 39 03 ff <.Wr[...n..3B9..

backtrace (crc 925f8a80):

kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]

slab_post_alloc_hook mm/slub.c:4520 [inline]

slab_alloc_node mm/slub.c:4844 [inline]

__do_kmalloc_node mm/slub.c:5237 [inline]

__kmalloc_noprof+0x3bd/0x560 mm/slub.c:5250

kmalloc_noprof include/linux/slab.h:954 [inline]

fscrypt_setup_filename+0x15e/0x3b0 fs/crypto/fname.c:364

f2fs_setup_filename+0x52/0xb0 fs/f2fs/dir.c:143

f2fs_rename+0x159/0xca0 fs/f2fs/namei.c:961

f2fs_rename2+0xd5/0xf20 fs/f2fs/namei.c:1308

vfs_rename+0x7ff/0x1250 fs/namei.c:6026

filename_renameat2+0x4f4/0x660 fs/namei.c:6144

__do_sys_renameat2 fs/namei.c:6173 [inline]

__se_sys_renameat2 fs/namei.c:6168 [inline]

__x64_sys_renameat2+0x59/0x80 fs/namei.c:6168

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94

entry_SYSCALL_64_after_hwframe+0x77/0x7f

The root cause is in commit 40b2d55e0452 ("f2fs: fix to create selinux

label during whiteout initialization"), we added a call to

f2fs_setup_filename() without a matching call to f2fs_free_filename(),

fix it.

NVD Source

Technical Analysis

CVE-2026-31714 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 5.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (5)

Quick Facts

CVE IDCVE-2026-31714
CVSS Score5.5 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 1, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31714 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.