CVE-2026-31465 (GCVE-0-2026-31465)

Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-05-11 22:09
VLAI?
Title
writeback: don't block sync for filesystems with no data integrity guarantees
Summary
In the Linux kernel, the following vulnerability has been resolved: writeback: don't block sync for filesystems with no data integrity guarantees Add a SB_I_NO_DATA_INTEGRITY superblock flag for filesystems that cannot guarantee data persistence on sync (eg fuse). For superblocks with this flag set, sync kicks off writeback of dirty inodes but does not wait for the flusher threads to complete the writeback. This replaces the per-inode AS_NO_DATA_INTEGRITY mapping flag added in commit f9a49aa302a0 ("fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes()"). The flag belongs at the superblock level because data integrity is a filesystem-wide property, not a per-inode one. Having this flag at the superblock level also allows us to skip having to iterate every dirty inode in wait_sb_inodes() only to skip each inode individually. Prior to this commit, mappings with no data integrity guarantees skipped waiting on writeback completion but still waited on the flusher threads to finish initiating the writeback. Waiting on the flusher threads is unnecessary. This commit kicks off writeback but does not wait on the flusher threads. This change properly addresses a recent report [1] for a suspend-to-RAM hang seen on fuse-overlayfs that was caused by waiting on the flusher threads to finish: Workqueue: pm_fs_sync pm_fs_sync_work_fn Call Trace: <TASK> __schedule+0x457/0x1720 schedule+0x27/0xd0 wb_wait_for_completion+0x97/0xe0 sync_inodes_sb+0xf8/0x2e0 __iterate_supers+0xdc/0x160 ksys_sync+0x43/0xb0 pm_fs_sync_work_fn+0x17/0xa0 process_one_work+0x193/0x350 worker_thread+0x1a1/0x310 kthread+0xfc/0x240 ret_from_fork+0x243/0x280 ret_from_fork_asm+0x1a/0x30 </TASK> On fuse this is problematic because there are paths that may cause the flusher thread to block (eg if systemd freezes the user session cgroups first, which freezes the fuse daemon, before invoking the kernel suspend. The kernel suspend triggers ->write_node() which on fuse issues a synchronous setattr request, which cannot be processed since the daemon is frozen. Or if the daemon is buggy and cannot properly complete writeback, initiating writeback on a dirty folio already under writeback leads to writeback_get_folio() -> folio_prepare_writeback() -> unconditional wait on writeback to finish, which will cause a hang). This commit restores fuse to its prior behavior before tmp folios were removed, where sync was essentially a no-op. [1] https://lore.kernel.org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0c58a97f919c24fe4245015f4375a39ff05665b6 , < 83800f8ef358ea2fc9b1ae4986b83f2bc24be927 (git)
Affected: 0c58a97f919c24fe4245015f4375a39ff05665b6 , < 5c24a13d8a0466ca0446e58309e51f2606520164 (git)
Affected: 0c58a97f919c24fe4245015f4375a39ff05665b6 , < 76f9377cd2ab7a9220c25d33940d9ca20d368172 (git)
Create a notification for this product.
Linux Linux Affected: 6.16
Unaffected: 0 , < 6.16 (semver)
Unaffected: 6.18.21 , ≤ 6.18.* (semver)
Unaffected: 6.19.11 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/fs-writeback.c",
            "fs/fuse/file.c",
            "fs/fuse/inode.c",
            "include/linux/fs/super_types.h",
            "include/linux/pagemap.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "83800f8ef358ea2fc9b1ae4986b83f2bc24be927",
              "status": "affected",
              "version": "0c58a97f919c24fe4245015f4375a39ff05665b6",
              "versionType": "git"
            },
            {
              "lessThan": "5c24a13d8a0466ca0446e58309e51f2606520164",
              "status": "affected",
              "version": "0c58a97f919c24fe4245015f4375a39ff05665b6",
              "versionType": "git"
            },
            {
              "lessThan": "76f9377cd2ab7a9220c25d33940d9ca20d368172",
              "status": "affected",
              "version": "0c58a97f919c24fe4245015f4375a39ff05665b6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/fs-writeback.c",
            "fs/fuse/file.c",
            "fs/fuse/inode.c",
            "include/linux/fs/super_types.h",
            "include/linux/pagemap.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.16"
            },
            {
              "lessThan": "6.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.21",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.11",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: don\u0027t block sync for filesystems with no data integrity guarantees\n\nAdd a SB_I_NO_DATA_INTEGRITY superblock flag for filesystems that cannot\nguarantee data persistence on sync (eg fuse). For superblocks with this\nflag set, sync kicks off writeback of dirty inodes but does not wait\nfor the flusher threads to complete the writeback.\n\nThis replaces the per-inode AS_NO_DATA_INTEGRITY mapping flag added in\ncommit f9a49aa302a0 (\"fs/writeback: skip AS_NO_DATA_INTEGRITY mappings\nin wait_sb_inodes()\"). The flag belongs at the superblock level because\ndata integrity is a filesystem-wide property, not a per-inode one.\nHaving this flag at the superblock level also allows us to skip having\nto iterate every dirty inode in wait_sb_inodes() only to skip each inode\nindividually.\n\nPrior to this commit, mappings with no data integrity guarantees skipped\nwaiting on writeback completion but still waited on the flusher threads\nto finish initiating the writeback. Waiting on the flusher threads is\nunnecessary. This commit kicks off writeback but does not wait on the\nflusher threads. This change properly addresses a recent report [1] for\na suspend-to-RAM hang seen on fuse-overlayfs that was caused by waiting\non the flusher threads to finish:\n\nWorkqueue: pm_fs_sync pm_fs_sync_work_fn\nCall Trace:\n \u003cTASK\u003e\n __schedule+0x457/0x1720\n schedule+0x27/0xd0\n wb_wait_for_completion+0x97/0xe0\n sync_inodes_sb+0xf8/0x2e0\n __iterate_supers+0xdc/0x160\n ksys_sync+0x43/0xb0\n pm_fs_sync_work_fn+0x17/0xa0\n process_one_work+0x193/0x350\n worker_thread+0x1a1/0x310\n kthread+0xfc/0x240\n ret_from_fork+0x243/0x280\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nOn fuse this is problematic because there are paths that may cause the\nflusher thread to block (eg if systemd freezes the user session cgroups\nfirst, which freezes the fuse daemon, before invoking the kernel\nsuspend. The kernel suspend triggers -\u003ewrite_node() which on fuse issues\na synchronous setattr request, which cannot be processed since the\ndaemon is frozen. Or if the daemon is buggy and cannot properly complete\nwriteback, initiating writeback on a dirty folio already under writeback\nleads to writeback_get_folio() -\u003e folio_prepare_writeback() -\u003e\nunconditional wait on writeback to finish, which will cause a hang).\nThis commit restores fuse to its prior behavior before tmp folios were\nremoved, where sync was essentially a no-op.\n\n[1] https://lore.kernel.org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:09:15.426Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/83800f8ef358ea2fc9b1ae4986b83f2bc24be927"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c24a13d8a0466ca0446e58309e51f2606520164"
        },
        {
          "url": "https://git.kernel.org/stable/c/76f9377cd2ab7a9220c25d33940d9ca20d368172"
        }
      ],
      "title": "writeback: don\u0027t block sync for filesystems with no data integrity guarantees",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31465",
    "datePublished": "2026-04-22T13:53:55.614Z",
    "dateReserved": "2026-03-09T15:48:24.097Z",
    "dateUpdated": "2026-05-11T22:09:15.426Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31465",
      "date": "2026-05-23",
      "epss": "0.00013",
      "percentile": "0.02273"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31465\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-22T14:16:42.633\",\"lastModified\":\"2026-05-07T18:27:30.290\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nwriteback: don\u0027t block sync for filesystems with no data integrity guarantees\\n\\nAdd a SB_I_NO_DATA_INTEGRITY superblock flag for filesystems that cannot\\nguarantee data persistence on sync (eg fuse). For superblocks with this\\nflag set, sync kicks off writeback of dirty inodes but does not wait\\nfor the flusher threads to complete the writeback.\\n\\nThis replaces the per-inode AS_NO_DATA_INTEGRITY mapping flag added in\\ncommit f9a49aa302a0 (\\\"fs/writeback: skip AS_NO_DATA_INTEGRITY mappings\\nin wait_sb_inodes()\\\"). The flag belongs at the superblock level because\\ndata integrity is a filesystem-wide property, not a per-inode one.\\nHaving this flag at the superblock level also allows us to skip having\\nto iterate every dirty inode in wait_sb_inodes() only to skip each inode\\nindividually.\\n\\nPrior to this commit, mappings with no data integrity guarantees skipped\\nwaiting on writeback completion but still waited on the flusher threads\\nto finish initiating the writeback. Waiting on the flusher threads is\\nunnecessary. This commit kicks off writeback but does not wait on the\\nflusher threads. This change properly addresses a recent report [1] for\\na suspend-to-RAM hang seen on fuse-overlayfs that was caused by waiting\\non the flusher threads to finish:\\n\\nWorkqueue: pm_fs_sync pm_fs_sync_work_fn\\nCall Trace:\\n \u003cTASK\u003e\\n __schedule+0x457/0x1720\\n schedule+0x27/0xd0\\n wb_wait_for_completion+0x97/0xe0\\n sync_inodes_sb+0xf8/0x2e0\\n __iterate_supers+0xdc/0x160\\n ksys_sync+0x43/0xb0\\n pm_fs_sync_work_fn+0x17/0xa0\\n process_one_work+0x193/0x350\\n worker_thread+0x1a1/0x310\\n kthread+0xfc/0x240\\n ret_from_fork+0x243/0x280\\n ret_from_fork_asm+0x1a/0x30\\n \u003c/TASK\u003e\\n\\nOn fuse this is problematic because there are paths that may cause the\\nflusher thread to block (eg if systemd freezes the user session cgroups\\nfirst, which freezes the fuse daemon, before invoking the kernel\\nsuspend. The kernel suspend triggers -\u003ewrite_node() which on fuse issues\\na synchronous setattr request, which cannot be processed since the\\ndaemon is frozen. Or if the daemon is buggy and cannot properly complete\\nwriteback, initiating writeback on a dirty folio already under writeback\\nleads to writeback_get_folio() -\u003e folio_prepare_writeback() -\u003e\\nunconditional wait on writeback to finish, which will cause a hang).\\nThis commit restores fuse to its prior behavior before tmp folios were\\nremoved, where sync was essentially a no-op.\\n\\n[1] https://lore.kernel.org/linux-fsdevel/CAJnrk1a-asuvfrbKXbEwwDSctvemF+6zfhdnuzO65Pt8HsFSRw@mail.gmail.com/T/#m632c4648e9cafc4239299887109ebd880ac6c5c1\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.16\",\"versionEndExcluding\":\"6.18.21\",\"matchCriteriaId\":\"A6CA36DA-3783-4321-81A6-485364836084\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.11\",\"matchCriteriaId\":\"4CA2E747-A9EC-4518-9AA2-B4247FC748B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5c24a13d8a0466ca0446e58309e51f2606520164\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/76f9377cd2ab7a9220c25d33940d9ca20d368172\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/83800f8ef358ea2fc9b1ae4986b83f2bc24be927\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.