SB2026032085 - Type conversion in Linux kernel f2fs

Description

This security bulletin contains information about 1 security vulnerability.

1) Type conversion (CVE-ID: CVE-2026-23265)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the f2fs file system's node footer handling when processing node pages with corrupted footers. A local user can provide a specially crafted f2fs image containing corrupted node page footers to cause a denial of service.

Exploitation requires access to a fuzzed or malicious f2fs image and the ability to trigger asynchronous node page reads, such as via f2fs_ra_node_pages(). The system must load and process the corrupted node page, which later triggers a kernel BUG during writeback.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/50ac3ecd8e05b6bcc350c71a4307d40c030ec7e4
• https://git.kernel.org/stable/c/855c54f1803e3ebc613677b4f389c7f92656a1fc
• https://git.kernel.org/stable/c/c386753db52b3a80afa6612bfdcb925aa5ca260f