{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-23233", "tracking": { "current_release_date": "2026-03-31T16:48:08.212350Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-23233", "initial_release_date": "2026-03-04T15:26:06.535154Z", "revision_history": [ { "date": "2026-03-04T15:26:06.535154Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| References created (5)." }, { "date": "2026-03-04T15:26:13.009632Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-04T15:39:11.068602Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products created (5).| Products connected (7).| References created (5)." }, { "date": "2026-03-04T15:39:15.081230Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-04T15:52:28.827222Z", "number": "5", "summary": "NCSC Score updated." }, { "date": "2026-03-04T18:43:33.083715Z", "number": "6", "summary": "Source created.| CVE status created. (valid)| Products connected (2)." }, { "date": "2026-03-05T00:27:39.795383Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| Products connected (13).| Product Identifiers created (5).| References created (3)." }, { "date": "2026-03-05T06:43:23.713962Z", "number": "8", "summary": "Description created for source." }, { "date": "2026-03-05T13:05:39.247364Z", "number": "9", "summary": "Source connected.| CVE status created. (valid)| Products connected (2).| References created (13)." }, { "date": "2026-03-05T13:05:41.228018Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-05T14:21:51.571738Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-05T14:21:56.697701Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-13T08:24:52.024852Z", "number": "13", "summary": "Products connected (1).| References created (2)." }, { "date": "2026-03-13T08:24:59.143572Z", "number": "14", "summary": "NCSC Score updated." }, { "date": "2026-03-16T03:41:43.552730Z", "number": "15", "summary": "Source connected.| CVE status created. (valid)" }, { "date": "2026-03-16T10:38:02.704987Z", "number": "16", "summary": "References created (2)." }, { "date": "2026-03-17T21:27:15.061286Z", "number": "17", "summary": "CVSS created.| Products created (2).| Product Identifiers created (4).| Products connected (2).| CWES updated (1)." }, { "date": "2026-03-17T21:27:17.468886Z", "number": "18", "summary": "NCSC Score updated." }, { "date": "2026-03-19T12:19:55.697113Z", "number": "19", "summary": "Source connected.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1)." }, { "date": "2026-03-19T12:20:06.809116Z", "number": "20", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:55:46.246229Z", "number": "21", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:55:48.310182Z", "number": "22", "summary": "NCSC Score updated." }, { "date": "2026-03-20T20:24:20.056230Z", "number": "23", "summary": "Products connected (1).| References created (1)." }, { "date": "2026-03-20T20:24:23.739921Z", "number": "24", "summary": "NCSC Score updated." }, { "date": "2026-03-21T12:19:49.070148Z", "number": "25", "summary": "Product Remediations created (1)." }, { "date": "2026-03-21T12:19:51.094920Z", "number": "26", "summary": "NCSC Score updated." }, { "date": "2026-03-24T21:47:42.805488Z", "number": "27", "summary": "Products connected (1).| References created (1)." }, { "date": "2026-03-24T21:47:45.082384Z", "number": "28", "summary": "NCSC Score updated." }, { "date": "2026-03-31T11:05:05.228372Z", "number": "29", "summary": "Products connected (1).| References created (2)." }, { "date": "2026-03-31T11:05:07.583668Z", "number": "30", "summary": "NCSC Score updated." } ], "status": "interim", "version": "30" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-1330296", "product_identification_helper": { "cpe": "cpe:/o:amazon:linux_2:-" } } } ], "category": "product_name", "name": "Amazon Linux 2" } ], "category": "vendor", "name": "Amazon" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/azl3", "product": { "name": "vers:unknown/azl3", "product_id": "CSAFPID-5247946", "product_identification_helper": { "cpe": "cpe:/o:microsoft:azure_linux:azl3" } } } ], "category": "product_name", "name": "Azure Linux" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:microsoft/*", "product": { "name": "vers:microsoft/*", "product_id": "CSAFPID-5761981", "product_identification_helper": { "cpe": "cpe:2.3:a:microsoft:azl3_kernel_6.6.126.1-1:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "azl3 kernel 6.6.126.1-1 on Azure Linux 3.0" } ], "category": "product_family", "name": "Open Source Software" } ], "category": "vendor", "name": "Microsoft" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-1295663", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "Debian Linux" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/*", "product": { "name": "vers:deb/*", "product_id": "CSAFPID-2036022" } } ], "category": "product_name", "name": "linux" } ], "category": "product_family", "name": "bookworm" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:deb/*", "product": { "name": "vers:deb/*", "product_id": "CSAFPID-2036023" } } ], "category": "product_name", "name": "linux" } ], "category": "product_family", "name": "bullseye" } ], "category": "vendor", "name": "Debian" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:git/40d76c393cca83938b11eb7ca8983aa3cd0ed69b|=6.13|<6.18.13", "product": { "name": "vers:unknown/>=6.13|<6.18.13", "product_id": "CSAFPID-5839369", "product_identification_helper": { "cpe": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=6.19|<6.19.3", "product": { "name": "vers:unknown/>=6.19|<6.19.3", "product_id": "CSAFPID-5839370", "product_identification_helper": { "cpe": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=6.6.33|<6.6.127", "product": { "name": "vers:unknown/>=6.6.33|<6.6.127", "product_id": "CSAFPID-5839371", "product_identification_helper": { "cpe": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=6.9|<6.12.74", "product": { "name": "vers:unknown/>=6.9|<6.12.74", "product_id": "CSAFPID-5839372", "product_identification_helper": { "cpe": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "linux_kernel" } ], "category": "vendor", "name": "Linux" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-1330297", "product_identification_helper": { "cpe": "cpe:/o:linux:linux_kernel:unspecified" } } } ], "category": "product_name", "name": "Open Source Linux Kernel" } ], "category": "vendor", "name": "Open Source" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-1317177", "product_identification_helper": { "cpe": "cpe:/o:oracle:linux:-" } } } ], "category": "product_name", "name": "Oracle Linux" } ], "category": "vendor", "name": "Oracle" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/unknown", "product": { "name": "vers:unknown/unknown", "product_id": "CSAFPID-1317175", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:-" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/10", "product": { "name": "vers:rpm/10", "product_id": "CSAFPID-2858634", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:10" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/6", "product": { "name": "vers:rpm/6", "product_id": "CSAFPID-1439321", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:6" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 6" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/7", "product": { "name": "vers:rpm/7", "product_id": "CSAFPID-1439315", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:7" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/8", "product": { "name": "vers:rpm/8", "product_id": "CSAFPID-1439317", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:8" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/9", "product": { "name": "vers:rpm/9", "product_id": "CSAFPID-1439319", "product_identification_helper": { "cpe": "cpe:/a:redhat:enterprise_linux:9" } } } ], "category": "product_name", "name": "Red Hat Enterprise Linux 9" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-2858635" } } ], "category": "product_name", "name": "kernel" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 10" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1453376" } } ], "category": "product_name", "name": "kernel" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 6" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1453377" } } ], "category": "product_name", "name": "kernel" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1453378" } } ], "category": "product_name", "name": "kernel-rt" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 7" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1453379" } } ], "category": "product_name", "name": "kernel" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1453380" } } ], "category": "product_name", "name": "kernel-rt" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 8" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1453381" } } ], "category": "product_name", "name": "kernel" }, { "branches": [ { "category": "product_version_range", "name": "vers:rpm/unknown", "product": { "name": "vers:rpm/unknown", "product_id": "CSAFPID-1453382" } } ], "category": "product_name", "name": "kernel-rt" } ], "category": "product_family", "name": "Red Hat Enterprise Linux 9" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-23233", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid mapping wrong physical block for swapfile\n\nXiaolong Guo reported a f2fs bug in bugzilla [1]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951\n\nQuoted:\n\n\"When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+,\nthe system experiences data corruption leading to either:\n1 dm-verity corruption errors and device reboot\n2 F2FS node corruption errors and boot hangs\n\nThe issue occurs specifically when:\n1 Using F2FS filesystem (ext4 is unaffected)\n2 Swapfile size is less than F2FS section size (2MB)\n3 Swapfile has fragmented physical layout (multiple non-contiguous extents)\n4 Kernel version is 6.6+ (6.1 is unaffected)\n\nThe root cause is in check_swap_activate() function in fs/f2fs/data.c. When the\nfirst extent of a small swapfile (< 2MB) is not aligned to section boundaries,\nthe function incorrectly treats it as the last extent, failing to map\nsubsequent extents. This results in incorrect swap_extent creation where only\nthe first extent is mapped, causing subsequent swap writes to overwrite wrong\nphysical locations (other files' data).\n\nSteps to Reproduce\n1 Setup a device with F2FS-formatted userdata partition\n2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng\n3 Run swap stress test: (Android devices)\nadb shell \"cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60\n--swap 0\"\n\nLog:\n1 Ftrace shows in kernel 6.6, only first extent is mapped during second\nf2fs_map_blocks call in check_swap_activate():\nstress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start\nblkaddr=0x43143, len=0x1\n(Only 4KB mapped, not the full swapfile)\n2 in kernel 6.1, both extents are correctly mapped:\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start\nblkaddr=0x13cd4, len=0x1\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start\nblkaddr=0x60c84b, len=0xff\n\nThe problematic code is in check_swap_activate():\nif ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec ||\n nr_pblocks % blks_per_sec ||\n !f2fs_valid_pinned_area(sbi, pblock)) {\n bool last_extent = false;\n\n not_aligned++;\n\n nr_pblocks = roundup(nr_pblocks, blks_per_sec);\n if (cur_lblock + nr_pblocks > sis->max)\n nr_pblocks -= blks_per_sec;\n\n /* this extent is last one */\n if (!nr_pblocks) {\n nr_pblocks = last_lblock - cur_lblock;\n last_extent = true;\n }\n\n ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);\n if (ret) {\n if (ret == -ENOENT)\n ret = -EINVAL;\n goto out;\n }\n\n if (!last_extent)\n goto retry;\n}\n\nWhen the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)\nexceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The\ncode then incorrectly assumes this is the last extent, sets nr_pblocks =\nlast_lblock - cur_lblock (entire swapfile), and performs migration. After\nmigration, it doesn't retry mapping, so subsequent extents are never processed.\n\"\n\nIn order to fix this issue, we need to lookup block mapping info after\nwe migrate all blocks in the tail of swapfile.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-23233" }, { "category": "description", "text": "No description is available for this CVE.", "title": "redhat - https://access.redhat.com/security/cve/CVE-2026-23233" }, { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid mapping wrong physical block for swapfile\n\nXiaolong Guo reported a f2fs bug in bugzilla [1]\n\n[1] https://bugzilla.kernel.org/show_bug.cgi?id=220951\n\nQuoted:\n\n\"When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+,\nthe system experiences data corruption leading to either:\n1 dm-verity corruption errors and device reboot\n2 F2FS node corruption errors and boot hangs\n\nThe issue occurs specifically when:\n1 Using F2FS filesystem (ext4 is unaffected)\n2 Swapfile size is less than F2FS section size (2MB)\n3 Swapfile has fragmented physical layout (multiple non-contiguous extents)\n4 Kernel version is 6.6+ (6.1 is unaffected)\n\nThe root cause is in check_swap_activate() function in fs/f2fs/data.c. When the\nfirst extent of a small swapfile (< 2MB) is not aligned to section boundaries,\nthe function incorrectly treats it as the last extent, failing to map\nsubsequent extents. This results in incorrect swap_extent creation where only\nthe first extent is mapped, causing subsequent swap writes to overwrite wrong\nphysical locations (other files' data).\n\nSteps to Reproduce\n1 Setup a device with F2FS-formatted userdata partition\n2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng\n3 Run swap stress test: (Android devices)\nadb shell \"cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60\n--swap 0\"\n\nLog:\n1 Ftrace shows in kernel 6.6, only first extent is mapped during second\nf2fs_map_blocks call in check_swap_activate():\nstress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start\nblkaddr=0x43143, len=0x1\n(Only 4KB mapped, not the full swapfile)\n2 in kernel 6.1, both extents are correctly mapped:\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start\nblkaddr=0x13cd4, len=0x1\nstress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start\nblkaddr=0x60c84b, len=0xff\n\nThe problematic code is in check_swap_activate():\nif ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec ||\n nr_pblocks % blks_per_sec ||\n !f2fs_valid_pinned_area(sbi, pblock)) {\n bool last_extent = false;\n\n not_aligned++;\n\n nr_pblocks = roundup(nr_pblocks, blks_per_sec);\n if (cur_lblock + nr_pblocks > sis->max)\n nr_pblocks -= blks_per_sec;\n\n /* this extent is last one */\n if (!nr_pblocks) {\n nr_pblocks = last_lblock - cur_lblock;\n last_extent = true;\n }\n\n ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks);\n if (ret) {\n if (ret == -ENOENT)\n ret = -EINVAL;\n goto out;\n }\n\n if (!last_extent)\n goto retry;\n}\n\nWhen the first extent is unaligned and roundup(nr_pblocks, blks_per_sec)\nexceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The\ncode then incorrectly assumes this is the last extent, sets nr_pblocks =\nlast_lblock - cur_lblock (entire swapfile), and performs migration. After\nmigration, it doesn't retry mapping, so subsequent extents are never processed.\n\"\n\nIn order to fix this issue, we need to lookup block mapping info after\nwe migrate all blocks in the tail of swapfile.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-23233" }, { "category": "description", "text": "In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid mapping wrong physical block for swapfile Xiaolong Guo reported a f2fs bug in bugzilla [1] [1] https://bugzilla.kernel.org/show_bug.cgi?id=220951 Quoted: \"When using stress-ng's swap stress test on F2FS filesystem with kernel 6.6+, the system experiences data corruption leading to either: 1 dm-verity corruption errors and device reboot 2 F2FS node corruption errors and boot hangs The issue occurs specifically when: 1 Using F2FS filesystem (ext4 is unaffected) 2 Swapfile size is less than F2FS section size (2MB) 3 Swapfile has fragmented physical layout (multiple non-contiguous extents) 4 Kernel version is 6.6+ (6.1 is unaffected) The root cause is in check_swap_activate() function in fs/f2fs/data.c. When the first extent of a small swapfile (< 2MB) is not aligned to section boundaries, the function incorrectly treats it as the last extent, failing to map subsequent extents. This results in incorrect swap_extent creation where only the first extent is mapped, causing subsequent swap writes to overwrite wrong physical locations (other files' data). Steps to Reproduce 1 Setup a device with F2FS-formatted userdata partition 2 Compile stress-ng from https://github.com/ColinIanKing/stress-ng 3 Run swap stress test: (Android devices) adb shell \"cd /data/stressng; ./stress-ng-64 --metrics-brief --timeout 60 --swap 0\" Log: 1 Ftrace shows in kernel 6.6, only first extent is mapped during second f2fs_map_blocks call in check_swap_activate(): stress-ng-swap-8990: f2fs_map_blocks: ino=11002, file offset=0, start blkaddr=0x43143, len=0x1 (Only 4KB mapped, not the full swapfile) 2 in kernel 6.1, both extents are correctly mapped: stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=0, start blkaddr=0x13cd4, len=0x1 stress-ng-swap-5966: f2fs_map_blocks: ino=28011, file offset=1, start blkaddr=0x60c84b, len=0xff The problematic code is in check_swap_activate(): if ((pblock - SM_I(sbi)->main_blkaddr) % blks_per_sec || nr_pblocks % blks_per_sec || !f2fs_valid_pinned_area(sbi, pblock)) { bool last_extent = false; not_aligned++; nr_pblocks = roundup(nr_pblocks, blks_per_sec); if (cur_lblock + nr_pblocks > sis->max) nr_pblocks -= blks_per_sec; /* this extent is last one */ if (!nr_pblocks) { nr_pblocks = last_lblock - cur_lblock; last_extent = true; } ret = f2fs_migrate_blocks(inode, cur_lblock, nr_pblocks); if (ret) { if (ret == -ENOENT) ret = -EINVAL; goto out; } if (!last_extent) goto retry; } When the first extent is unaligned and roundup(nr_pblocks, blks_per_sec) exceeds sis->max, we subtract blks_per_sec resulting in nr_pblocks = 0. The code then incorrectly assumes this is the last extent, sets nr_pblocks = last_lblock - cur_lblock (entire swapfile), and performs migration. After migration, it doesn't retry mapping, so subsequent extents are never processed. \" In order to fix this issue, we need to lookup block mapping info after we migrate all blocks in the tail of swapfile.", "title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-23233" }, { "category": "description", "text": "f2fs: fix to avoid mapping wrong physical block for swapfile", "title": "microsoft - https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "other", "text": "0.00013", "title": "EPSS" }, { "category": "other", "text": "3.9", "title": "NCSC Score" }, { "category": "other", "text": "VENDOR FIX as product remediation category", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Is related to a product by vendor Debian, Is related to (a version of) product Linux Kernel, The value of the most recent EPSS score, Is related to a product by vendor Linux", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-1286675", "CSAFPID-5758163", "CSAFPID-5758164", "CSAFPID-5758165", "CSAFPID-5758166", "CSAFPID-5758167", "CSAFPID-1330297", "CSAFPID-5247946", "CSAFPID-1295663", "CSAFPID-5839369", "CSAFPID-5839370", "CSAFPID-5839371", "CSAFPID-5839372", "CSAFPID-5761981", "CSAFPID-1330296", "CSAFPID-1317177", "CSAFPID-1317175" ], "known_not_affected": [ "CSAFPID-1286676", "CSAFPID-5635303", "CSAFPID-5635304", "CSAFPID-5669083", "CSAFPID-5758151", "CSAFPID-5758160", "CSAFPID-2036022", "CSAFPID-2036023", "CSAFPID-1439315", "CSAFPID-1439317", "CSAFPID-1439319", "CSAFPID-1439321", "CSAFPID-1453376", "CSAFPID-1453377", "CSAFPID-1453378", "CSAFPID-1453379", "CSAFPID-1453380", "CSAFPID-1453381", "CSAFPID-1453382", "CSAFPID-2858634", "CSAFPID-2858635" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23233" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-23233" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-23233" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/23xxx/CVE-2026-23233.json" }, { "category": "external", "summary": "Source - debian", "url": "https://security-tracker.debian.org/tracker/CVE-2026-23233" }, { "category": "external", "summary": "Source - redhat", "url": "https://access.redhat.com/security/cve/CVE-2026-23233" }, { "category": "external", "summary": "Source raw - redhat", "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23233.json" }, { "category": "external", "summary": "Source - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0614.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23233" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - hkcert", "url": "https://www.hkcert.org/security-bulletin/debian-linux-kernel-multiple-vulnerabilities_20260316" }, { "category": "external", "summary": "Source - microsoft", "url": "https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2026-Mar" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/1ff415eef513bf12deb058fc50d57788c46c48e6" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/5c145c03188bc9ba1c29e0bc4d527a5978fc47f9" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/607cb9d83838d2cd9f0406c2403ed61aadf0edff" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/d4534a7f6c92baaf7e12a45fc6e37332cafafc33" }, { "category": "external", "summary": "Reference - cveprojectv5; nvd", "url": "https://git.kernel.org/stable/c/fee27b69dde1a05908b350eea42937af2387c4fe" }, { "category": "external", "summary": "Reference - redhat", "url": "https://www.cve.org/CVERecord?id=CVE-2026-23233" }, { "category": "external", "summary": "Reference - redhat", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23233" }, { "category": "external", "summary": "Reference - redhat", "url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23233-4413@gregkh/T" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0614.json" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0614" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030437-CVE-2025-71238-76bc@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23231-1a96@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23232-b24d@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23233-4413@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030439-CVE-2026-23234-5cef@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030440-CVE-2026-23235-3b8d@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030440-CVE-2026-23236-b419@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23237-f6fb@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23238-47f3@gregkh/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://msrc.microsoft.com/update-guide/" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lists.debian.org/debian-security-announce/2026/msg00072.html" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lists.debian.org/debian-security-announce/2026/msg00071.html" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00002.html" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00003.html" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://alas.aws.amazon.com/AL2/ALAS2KERNEL-5.10-2026-114.html" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://linux.oracle.com/errata/ELSA-2026-50160.html" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://linux.oracle.com/errata/ELSA-2026-6053.html" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://access.redhat.com/errata/RHSA-2026:6053" } ], "remediations": [ { "category": "vendor_fix", "details": "CBL-Mariner Releases", "product_ids": [ "CSAFPID-5761981" ] } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-1286675", "CSAFPID-1295663", "CSAFPID-1317175", "CSAFPID-1317177", "CSAFPID-1330296", "CSAFPID-1330297", "CSAFPID-5247946", "CSAFPID-5758163", "CSAFPID-5758164", "CSAFPID-5758165", "CSAFPID-5758166", "CSAFPID-5758167", "CSAFPID-5761981", "CSAFPID-5839369", "CSAFPID-5839370", "CSAFPID-5839371", "CSAFPID-5839372" ] } ], "title": "CVE-2026-23233" } ] }