Time-of-check Time-of-use (TOCTOU) Race Condition in Linux kernel - CVE-2026-23267
Published: March 20, 2026
Vulnerability identifier: #VU124183
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23267
CWE-ID: CWE-367
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to a race condition in the F2FS filesystem's handling of checkpoint flags during atomic write operations when processing concurrent atomic commit and checkpoint writes. A local user can trigger a specially crafted sequence of atomic file operations to cause an inconsistency in the IS_CHECKPOINTED flag, leading to improper state management of node pages.
The issue arises specifically during atomic write scenarios where a concurrent checkpoint write completes before the atomic commit fully marks the page, resulting in incorrect flag state that can be exploited to manipulate filesystem metadata structures.
How to mitigate CVE-2026-23267
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/32bc3c9fe18881d50dd51fd5f26d19fe1190dc0d
- https://git.kernel.org/stable/c/75e19da068adf0dc5dd269dd157392434b9117d4
- https://git.kernel.org/stable/c/7633a7387eb4d0259d6bea945e1d3469cd135bbc
- https://git.kernel.org/stable/c/962c167b0f262b9962207fbeaa531721d55ea00e
- https://git.kernel.org/stable/c/bd66b4c487d5091d2a65d6089e0de36f0c26a4c7
- https://git.kernel.org/stable/c/ed81bc5885460905f9160e7b463e5708fd056324