CVE-2026-31449

HIGH

ext4: validate p_idx bounds in ext4_ext_correct_indexes

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: validate p_idx bounds in ext4_ext_correct_indexes ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_idx falls within the valid range of index entries for that level. If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buffer, causing a slab-out-of-bounds read. Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at both access sites: before the while loop and inside it. Return -EFSCORRUPTED if the index pointer is out of range, consistent with how other bounds violations are handled in the ext4 extent tree code.

Scores

CVSS v3 7.8
EPSS 0.0014
EPSS Percentile 3.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-125
Status published
Products (32)
linux/Kernel 2.6.19 - 5.10.259linux
linux/Kernel 5.11.0 - 5.15.210linux
linux/Kernel 5.16.0 - 6.1.175linux
linux/Kernel 6.13.0 - 6.18.21linux
linux/Kernel 6.19.0 - 6.19.11linux
linux/Kernel 6.2.0 - 6.6.140linux
linux/Kernel 6.7.0 - 6.12.80linux
Linux/Linux < 2.6.19
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 01bf1e0b997d82c0e353b51ed74ef99698043c33
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8
... and 22 more
Published Apr 22, 2026
Tracked Since Apr 22, 2026