Skip to main content

Linux Kernel ext4 CVE-2026-31448

| EUVDEUVD-2026-24784 CRITICAL
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Critical
Disputed · 9.4 Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:27 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
9.4 (CRITICAL)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24784
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
CRITICAL 9.4

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ext4: avoid infinite loops caused by residual data

On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously.

The above causes ext4_xattr_block_set() to enter an infinite loop about "inserted" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1].

If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases:

  1. The error is ENOSPC or EDQUOT - in this case the filesystem is fully

consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case.

  1. Some other error - this means metadata is corrupted. We should strive to

do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks.

[1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace: inode_lock_nested include/linux/fs.h:1073 [inline] __start_dirop fs/namei.c:2923 [inline] start_dirop fs/namei.c:2934 [inline]

AnalysisAI

Denial of service in Linux kernel ext4 filesystem allows remote attackers to trigger infinite loops and system hangs (143+ second inode lock blocking) via crafted mkdir/mknod operations. The vulnerability stems from incomplete cleanup when extent insertion fails - ext4_ext_map_blocks() reclaims physical blocks without deleting stale extent tree entries, causing reuse of blocks already allocated to xattrs. This triggers infinite loops in ext4_xattr_block_set() that hold inode locks indefinitely. With CVSS 9.4 (AV:N/AC:L/PR:N/UI:N) but EPSS only 0.02% (percentile 7), the network attack vector rating appears inconsistent with typical local filesystem exploitation. Patches available across stable kernel branches 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and mainline 7.0. No active exploitation confirmed (not in CISA KEV), but tagged for denial-of-service impact.

Technical ContextAI

The ext4 filesystem uses extent trees to map logical file blocks to physical disk blocks. During directory creation (mkdir/mknod), ext4_ext_map_blocks() attempts to insert new extents into this tree. When insertion fails - specifically when the huge file feature is disabled during inode dirtying - the function calls ext4_free_blocks() to reclaim the allocated physical block but leaves residual metadata in the extent tree. This creates a dangling reference where the freed block number remains mapped. Subsequent mkdir operations read this stale mapping and attempt to reuse the physical block, which may now be allocated to extended attribute (xattr) storage. The collision causes ext4_xattr_block_set() to enter an infinite loop while holding the inode lock, as both the directory entry and xattr block reference the same buffer head. The patch distinguishes filesystem-consistent errors (ENOSPC/EDQUOT, occurring before extent insertion) from metadata corruption errors (other failures, after partial insertion), implementing selective cleanup to prevent cascading damage to quota accounting and extent tree integrity.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.168+ for 6.1.x series, 6.6.131+ for 6.6.x, 6.12.80+ for 6.12.x, 6.18.21+ for 6.18.x, 6.19.11+ for 6.19.x, or 7.0+ for mainline. Patches available from kernel.org stable tree (commits listed in references). If immediate patching is infeasible, consider these compensating controls with noted trade-offs: (1) Disable ext4 huge file feature globally via tune2fs -O ^huge_file on affected filesystems - prevents triggering condition but limits maximum file sizes to 2TB and may impact performance for large files; (2) Restrict mkdir/mknod system calls for untrusted users via seccomp or SELinux policies - reduces attack surface but breaks legitimate directory creation workflows; (3) Monitor for inode lock wait times exceeding 60 seconds and configure automatic kernel panic/reboot via hung task timeout - contains DoS impact but causes service disruption. No effective mitigation exists without kernel patch for systems requiring full ext4 functionality. Advisory URLs: https://git.kernel.org/stable/c/64f425b06b3b (6.1.168), https://git.kernel.org/stable/c/416c86f30f91 (6.6.131), https://git.kernel.org/stable/c/c66545e83a80 (6.12.80), https://git.kernel.org/stable/c/5422fe71d26d (6.18.21), https://git.kernel.org/stable/c/ecc50bfca9b5 (6.19.11), https://git.kernel.org/stable/c/3a7667595bca (7.0).

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31448 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy