CVE-2026-23235

⚠️ high

Summary

Description

In the Linux kernel, the following vulnerability has been resolved:

f2fs: fix out-of-bounds access in sysfs attribute read/write

Some f2fs sysfs attributes suffer from out-of-bounds memory access and
incorrect handling of integer values whose size is not 4 bytes.

For example:
vm:~# echo 65537 > /sys/fs/f2fs/vde/carve_out
vm:~# cat /sys/fs/f2fs/vde/carve_out
65537
vm:~# echo 4294967297 > /sys/fs/f2fs/vde/atgc_age_threshold
vm:~# cat /sys/fs/f2fs/vde/atgc_age_threshold
1

carve_out maps to {struct f2fs_sb_info}->carve_out, which is a 8-bit
integer. However, the sysfs interface allows setting it to a value
larger than 255, resulting in an out-of-range update.

atgc_age_threshold maps to {struct atgc_management}->age_threshold,
which is a 64-bit integer, but its sysfs interface cannot correctly set
values larger than UINT_MAX.

The root causes are:
1. __sbi_store() treats all default values as unsigned int, which
prevents updating integers larger than 4 bytes and causes out-of-bounds
writes for integers smaller than 4 bytes.

2. f2fs_sbi_show() also assumes all default values are unsigned int,
leading to out-of-bounds reads and incorrect access to integers larger
than 4 bytes.

This patch introduces {struct f2fs_attr}->size to record the actual size
of the integer associated with each sysfs attribute. With this
information, sysfs read and write operations can correctly access and
update values according to their real data size, avoiding memory
corruption and truncation.

CVSS Score

7.1

High

EPSS Score

0.0

Exploit Probability

Published Date

2026-03-04

First Seen: 2026-03-05

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 53.9% of all 318,332 vulnerabilities in our database.

#146,604

Above average severity

Severity Percentile

Last Modified 2026-03-17

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE IDs (Weakness Types)

CWE-125

Vendor	Product	Status	Affected Versions
linux	linux_kernel	Affected	> 3.12 < 5.10.251
linux	linux_kernel	Affected	> 5.11 < 5.15.201
linux	linux_kernel	Affected	> 5.16 < 6.1.164
linux	linux_kernel	Affected	> 6.7 < 6.12.74
linux	linux_kernel	Affected	> 6.13 < 6.18.13
linux	linux_kernel	Affected	> 6.19 < 6.19.3
linux	linux_kernel	Affected	> 6.2 < 6.6.127

CVE-2026-23235

Summary

Description

📊 Relative Risk Intelligence

📦 Affected Products 7

🔗 References 8

🔗 Related CVEs 6

CVE ID	Severity	CVSS	Summary	Published
CVE-2026-23231	⚠️ high	7.8	In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix use-after-free in nf_tabl...	2026-03-04
CVE-2025-71238	⚠️ high	7.8	In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix bsg_done() causing double free ...	2026-03-04
CVE-2026-23232	🔶 medium	5.5	In the Linux kernel, the following vulnerability has been resolved: Revert "f2fs: block cache/dio write during f2fs_ena...	2026-03-04
CVE-2026-23233	⚠️ high	7.8	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical block for...	2026-03-04
CVE-2026-23234	⚠️ high	7.8	In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_write_end_io() As s...	2026-03-04
CVE-2026-23236	🔶 medium	5.5	In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kerne...	2026-03-04