{"id":"CVE-2026-53303","summary":"f2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: protect extension_list reading with sb_lock in f2fs_sbi_show()\n\nIn f2fs_sbi_show(), the extension_list, extension_count and\nhot_ext_count are read without holding sbi-\u003esb_lock. If a concurrent\nsysfs store modifies the extension list via f2fs_update_extension_list(),\nthe show path may read inconsistent count and array contents, potentially\nleading to out-of-bounds access or displaying stale data.\n\nFix this by holding sb_lock around the entire extension list read\nand format operation.","modified":"2026-07-08T08:07:25.198416695Z","published":"2026-06-26T19:40:59.383Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53303.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/4b3a1bf4c2ffd4c9595d900ead78c9035894a025"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5909bedbed38c558bee7cb6758ceedf9bc3a9194"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cea15f66b7b68b2c50943a6660e0692c6635e4eb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d0e877810baf613b018fd9747440b9d4d9db1428"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d3ff0c121bbaef026df6248ab7ef6f0b068b0647"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ea3ab43a1f3cf2c7cecd75c8be1ee99a5e94a92e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53303.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53303"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b6a06cbbb5f7fd03589cff9178314af04c568826"},{"fixed":"d3ff0c121bbaef026df6248ab7ef6f0b068b0647"},{"fixed":"cea15f66b7b68b2c50943a6660e0692c6635e4eb"},{"fixed":"4b3a1bf4c2ffd4c9595d900ead78c9035894a025"},{"fixed":"d0e877810baf613b018fd9747440b9d4d9db1428"},{"fixed":"ea3ab43a1f3cf2c7cecd75c8be1ee99a5e94a92e"},{"fixed":"5909bedbed38c558bee7cb6758ceedf9bc3a9194"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53303.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.17.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.141"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.91"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.33"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.10"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53303.json"}}],"schema_version":"1.7.5"}