CVE-2026-45892

MEDIUM

ext4: drop extent cache after doing PARTIAL_VALID1 zeroout

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent. Assume we have an unwritten file and buffered write in the middle of it without dioread_nolock enabled, it will allocate blocks as written extent. 0 A B N [UUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDD--] D: valid data |<- ->| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and leave the entire extent as unwritten. 0 A B N [UUUUUUUUUUUU] on-disk extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Z: zeroed data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and leave an written extent from A to N. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Finally ext4_map_create_blocks() only insert extent A to B to the extent status tree, and leave an stale unwritten extent in the status tree. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUWWWWWWWWUU] extent status tree [--DDDDDDDDZZ] Fix this issue by always cached extent status entry after zeroing out the second part.

Scores

CVSS v3 5.5
EPSS 0.0015
EPSS Percentile 5.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Details

Status published
Products (23)
linux/Kernel 6.1.167 - 6.1.168linux
Linux/Linux < 6.12.75
Linux/Linux < 6.18.14
Linux/Linux < 6.19.4
Linux/Linux < 6.6.130
Linux/Linux 1bf6974822d1dba86cf11b5f05498581cf3488a2 - 6d882ea3b0931b43530d44149b79fcd4ffc13030
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - 6d882ea3b0931b43530d44149b79fcd4ffc13030
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - a1b962a821e7a52d48212ae269b45808b4411267
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - c2ee51d684adca7645e4aa74adca13f6750390bc
Linux/Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 - d8ee559fccdef713f058cfe5f2c03dc9b18be3b1
... and 13 more
Published May 27, 2026
Tracked Since May 27, 2026