CVE-2026-53303
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
In the Linux kernel, a vulnerability in the F2FS filesystem was found where f2fs_sbi_show() reads extension_list, extension_count, and hot_ext_count without holding sb_lock. Concurrent modification via sysfs can lead to inconsistent reads, potentially causing out-of-bounds access or displaying stale data.
Risk Assessment
The risk involves potential data integrity issues in the F2FS filesystem, information leakage, or system crashes due to reading inconsistent or outdated extension list data.
Recommendation
Immediately update the Linux kernel to a version containing the fix that holds sb_lock around the extension list read and format operation in f2fs_sbi_show().
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show() In f2fs_sbi_show(), the extension_list, extension_count and hot_ext_count are read without holding sbi->sb_lock. If a concurrent sysfs store modifies the extension list via f2fs_update_extension_list(), the show path may read inconsistent count and array contents, potentially leading to out-of-bounds access or displaying stale data. Fix this by holding sb_lock around the entire extension list read and format operation.

