HarborGuard / CVE
Back to search
HIGHCVE-2026-46175Published Modified CNA Linux

CVE-2026-46175: f2fs: fix fsck inconsistency caused by FGGC of node block

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix fsck inconsistency caused by FGGC of node block During FGGC node block migration, fsck may incorrectly treat the migrated node block as fsync-written data. The reproduction scenario: root@vm:/mnt/f2fs# seq 1 2048 | xargs -n 1 ./test_sync // write inline inode and sync root@vm:/mnt/f2fs# rm -f 1 root@vm:/mnt/f2fs# sync root@vm:/mnt/f2fs# f2fs_io gc_range // move data block in sync mode and not write CP SPO, "fsck --dry-run" find inode has already checkpointed but still with DENT_BIT_SHIFT set The root cause is that GC does not clear the dentry mark and fsync mark during node block migration, leading fsck to misinterpret them as user-issued fsync writes. In BGGC mode, node block migration is handled by f2fs_sync_node_pages(), which guarantees the dentry and fsync marks are cleared before writing. This patch move the set/clear of the fsync|dentry marks into __write_node_folio to make the logic clearer, and ensures the fsync|dentry mark is cleared in FGGC.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A filesystem state corruption flaw exists in the Linux kernel's f2fs (Flash-Friendly File System) driver. A local attacker with low-privilege access can trigger Foreground Garbage Collection (FGGC) of node blocks without clearing fsync and dentry marks, causing fsck to misinterpret migrated node blocks as user-issued fsync writes, which corrupts filesystem metadata consistency. Successful exploitation allows an attacker to tamper with filesystem integrity and crash the affected filesystem, leading to data tampering and denial of service. A patched-image rebuild is available on HarborGuard for environments running affected kernel versions.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected Linux kernel versions. Any image carrying a kernel version below the fixed releases (6.18.30, 7.0.7, 7.1-rc1, or the upstream fix commit) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 HIGH and is capable of weighting that score against each environment's compliance policy to determine urgency. Triage results can be routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at the fix versions (6.18.30, 7.0.7, 7.1-rc1) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attack vector is local (AV:L), so the attacker needs an existing shell or process on the host; no network access is required.

  • AuthenticationRequired

    The attacker must hold a low-privilege account on the target system; any standard user credential is sufficient (PR:L).

  • Victim interactionNot required

    No victim interaction is required; the attacker can trigger the vulnerable code path entirely on their own (UI:N).

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, memory layout randomization, or other environmental factors.

Blast Radius

  • The attacker corrupts f2fs filesystem metadata by causing fsck to misinterpret migrated node blocks, resulting in persistent filesystem inconsistency.
  • Tampered dentry and fsync marks in node blocks can cause subsequent filesystem checks and recovery operations to make incorrect decisions, potentially destroying directory entries or file data references.
  • The corrupted filesystem state can render the f2fs volume unmountable or trigger kernel-level errors that crash the filesystem layer, disrupting all services dependent on that volume.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46175 is active and capable of flagging any image that includes a Linux kernel below the patched versions (6.18.30, 7.0.7, or 7.1-rc1). For customers who opt into auto-remediation, HarborGuard can rebuild the image at a fixed kernel version, execute a regression run, and open a pull request against affected workloads, with a median turnaround of approximately 90 minutes for high-severity issues. Where compliance policy requires manual review, HarborGuard surfaces the finding with full CVSS context and fix-version details so engineering teams can prioritize the upgrade. As a compensating control prior to patching, network-policy isolation of workloads mounting f2fs volumes and restricting local shell access to unprivileged users on those hosts will reduce exposure to this local privilege requirement.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

06.18.307.0.77.1-rc18be551f538dc5b64183e27bd45a7a0795263f760c3e238bd1f56993f205ef83889d406dfeaf717a8e7c6d30169b03307d27c4479563df79c08f3a746
Affected packages
  • Linux / Linux
    < 8be551f538dc5b64183e27bd45a7a0795263f760 (from da011cc0da8cf4a60ddf4d2ae8b42902a3d71e5f) · < e7c6d30169b03307d27c4479563df79c08f3a746 (from da011cc0da8cf4a60ddf4d2ae8b42902a3d71e5f) · < c3e238bd1f56993f205ef83889d406dfeaf717a8 (from da011cc0da8cf4a60ddf4d2ae8b42902a3d71e5f)
  • Linux / Linux
    4.7
    Fixed in 0, 6.18.30, 7.0.7, 7.1-rc1
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
References