CVE-2026-31448 (GCVE-0-2026-31448)

Vulnerability from cvelistv5 – Published: 2026-04-22 13:53 – Updated: 2026-05-11 22:08
VLAI?
Title
ext4: avoid infinite loops caused by residual data
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously. The above causes ext4_xattr_block_set() to enter an infinite loop about "inserted" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1]. If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases: 1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case. 2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks. [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace: inode_lock_nested include/linux/fs.h:1073 [inline] __start_dirop fs/namei.c:2923 [inline] start_dirop fs/namei.c:2934 [inline]
Severity ?
9.4 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 315054f023d28ee64f308adf8b5737831541776b , < c66545e83a802c3851d9be27a41c0479dd29ff0c (git)
Affected: 315054f023d28ee64f308adf8b5737831541776b , < ecc50bfca9b5c2ee6aeef998181689b80477367b (git)
Affected: 315054f023d28ee64f308adf8b5737831541776b , < 3a7667595bcad84da53fc156a418e110267c3412 (git)
Affected: 315054f023d28ee64f308adf8b5737831541776b , < 416c86f30f91b4fb2642ef6b102596ca898f41a5 (git)
Affected: 315054f023d28ee64f308adf8b5737831541776b , < 64f425b06b3bea9abc8977fd3982779b3ad070c9 (git)
Affected: 315054f023d28ee64f308adf8b5737831541776b , < 5422fe71d26d42af6c454ca9527faaad4e677d6c (git)
Create a notification for this product.
Linux Linux Affected: 2.6.22
Unaffected: 0 , < 2.6.22 (semver)
Unaffected: 6.1.168 , ≤ 6.1.* (semver)
Unaffected: 6.6.131 , ≤ 6.6.* (semver)
Unaffected: 6.12.80 , ≤ 6.12.* (semver)
Unaffected: 6.18.21 , ≤ 6.18.* (semver)
Unaffected: 6.19.11 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/extents.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c66545e83a802c3851d9be27a41c0479dd29ff0c",
              "status": "affected",
              "version": "315054f023d28ee64f308adf8b5737831541776b",
              "versionType": "git"
            },
            {
              "lessThan": "ecc50bfca9b5c2ee6aeef998181689b80477367b",
              "status": "affected",
              "version": "315054f023d28ee64f308adf8b5737831541776b",
              "versionType": "git"
            },
            {
              "lessThan": "3a7667595bcad84da53fc156a418e110267c3412",
              "status": "affected",
              "version": "315054f023d28ee64f308adf8b5737831541776b",
              "versionType": "git"
            },
            {
              "lessThan": "416c86f30f91b4fb2642ef6b102596ca898f41a5",
              "status": "affected",
              "version": "315054f023d28ee64f308adf8b5737831541776b",
              "versionType": "git"
            },
            {
              "lessThan": "64f425b06b3bea9abc8977fd3982779b3ad070c9",
              "status": "affected",
              "version": "315054f023d28ee64f308adf8b5737831541776b",
              "versionType": "git"
            },
            {
              "lessThan": "5422fe71d26d42af6c454ca9527faaad4e677d6c",
              "status": "affected",
              "version": "315054f023d28ee64f308adf8b5737831541776b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/extents.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.168",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.131",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.80",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.21",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.11",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid infinite loops caused by residual data\n\nOn the mkdir/mknod path, when mapping logical blocks to physical blocks,\nif inserting a new extent into the extent tree fails (in this example,\nbecause the file system disabled the huge file feature when marking the\ninode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to\nreclaim the physical block without deleting the corresponding data in\nthe extent tree. This causes subsequent mkdir operations to reference\nthe previously reclaimed physical block number again, even though this\nphysical block is already being used by the xattr block. Therefore, a\nsituation arises where both the directory and xattr are using the same\nbuffer head block in memory simultaneously.\n\nThe above causes ext4_xattr_block_set() to enter an infinite loop about\n\"inserted\" and cannot release the inode lock, ultimately leading to the\n143s blocking problem mentioned in [1].\n\nIf the metadata is corrupted, then trying to remove some extent space\ncan do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE\nwas passed, remove space wrongly update quota information.\nJan Kara suggests distinguishing between two cases:\n\n1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully\nconsistent and we must maintain its consistency including all the\naccounting. However these errors can happen only early before we\u0027ve\ninserted the extent into the extent tree. So current code works correctly\nfor this case.\n\n2) Some other error - this means metadata is corrupted. We should strive to\ndo as few modifications as possible to limit damage. So I\u0027d just skip\nfreeing of allocated blocks.\n\n[1]\nINFO: task syz.0.17:5995 blocked for more than 143 seconds.\nCall Trace:\n inode_lock_nested include/linux/fs.h:1073 [inline]\n __start_dirop fs/namei.c:2923 [inline]\n start_dirop fs/namei.c:2934 [inline]"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T22:08:54.289Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c66545e83a802c3851d9be27a41c0479dd29ff0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecc50bfca9b5c2ee6aeef998181689b80477367b"
        },
        {
          "url": "https://git.kernel.org/stable/c/3a7667595bcad84da53fc156a418e110267c3412"
        },
        {
          "url": "https://git.kernel.org/stable/c/416c86f30f91b4fb2642ef6b102596ca898f41a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/64f425b06b3bea9abc8977fd3982779b3ad070c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/5422fe71d26d42af6c454ca9527faaad4e677d6c"
        }
      ],
      "title": "ext4: avoid infinite loops caused by residual data",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31448",
    "datePublished": "2026-04-22T13:53:44.129Z",
    "dateReserved": "2026-03-09T15:48:24.091Z",
    "dateUpdated": "2026-05-11T22:08:54.289Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31448",
      "date": "2026-05-24",
      "epss": "0.00076",
      "percentile": "0.22629"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31448\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-22T14:16:38.760\",\"lastModified\":\"2026-05-07T18:43:29.587\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: avoid infinite loops caused by residual data\\n\\nOn the mkdir/mknod path, when mapping logical blocks to physical blocks,\\nif inserting a new extent into the extent tree fails (in this example,\\nbecause the file system disabled the huge file feature when marking the\\ninode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to\\nreclaim the physical block without deleting the corresponding data in\\nthe extent tree. This causes subsequent mkdir operations to reference\\nthe previously reclaimed physical block number again, even though this\\nphysical block is already being used by the xattr block. Therefore, a\\nsituation arises where both the directory and xattr are using the same\\nbuffer head block in memory simultaneously.\\n\\nThe above causes ext4_xattr_block_set() to enter an infinite loop about\\n\\\"inserted\\\" and cannot release the inode lock, ultimately leading to the\\n143s blocking problem mentioned in [1].\\n\\nIf the metadata is corrupted, then trying to remove some extent space\\ncan do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE\\nwas passed, remove space wrongly update quota information.\\nJan Kara suggests distinguishing between two cases:\\n\\n1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully\\nconsistent and we must maintain its consistency including all the\\naccounting. However these errors can happen only early before we\u0027ve\\ninserted the extent into the extent tree. So current code works correctly\\nfor this case.\\n\\n2) Some other error - this means metadata is corrupted. We should strive to\\ndo as few modifications as possible to limit damage. So I\u0027d just skip\\nfreeing of allocated blocks.\\n\\n[1]\\nINFO: task syz.0.17:5995 blocked for more than 143 seconds.\\nCall Trace:\\n inode_lock_nested include/linux/fs.h:1073 [inline]\\n __start_dirop fs/namei.c:2923 [inline]\\n start_dirop fs/namei.c:2934 [inline]\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-835\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.22.1\",\"versionEndExcluding\":\"6.1.168\",\"matchCriteriaId\":\"09A2CD65-1CD4-45BC-AB86-2A903D823B07\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.131\",\"matchCriteriaId\":\"CE6ED4D4-0046-4573-BFA9-D64143B6A89F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.80\",\"matchCriteriaId\":\"97EB19EC-A11E-49C6-9D2F-6F6EC6CB98B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.21\",\"matchCriteriaId\":\"ED39847A-3B46-4729-B7CA-B2C30B9FA8FE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.11\",\"matchCriteriaId\":\"4CA2E747-A9EC-4518-9AA2-B4247FC748B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F7D6C66-3384-4ACC-9D08-C5A26B4FD004\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.22:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"6465E61D-0238-4ED3-B4CB-E3B93F4F324F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.22:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"830B8340-2B8F-4F0A-8943-F4413411573C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.22:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"D123AAFE-3F17-45C4-9382-BA392FD022C4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:2.6.22:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0C256E6-2691-4478-A51C-DE580A717AB9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3a7667595bcad84da53fc156a418e110267c3412\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/416c86f30f91b4fb2642ef6b102596ca898f41a5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5422fe71d26d42af6c454ca9527faaad4e677d6c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/64f425b06b3bea9abc8977fd3982779b3ad070c9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/c66545e83a802c3851d9be27a41c0479dd29ff0c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/ecc50bfca9b5c2ee6aeef998181689b80477367b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.