Skip to main content

Linux Kernel ext4 CVE-2026-31449

| EUVDEUVD-2026-24786 HIGH
Out-of-bounds Read (CWE-125)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 27, 2026 - 14:27 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch released
Apr 27, 2026 - 14:16 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24786
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ext4: validate p_idx bounds in ext4_ext_correct_indexes

ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_idx falls within the valid range of index entries for that level.

If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buffer, causing a slab-out-of-bounds read.

Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at both access sites: before the while loop and inside it. Return -EFSCORRUPTED if the index pointer is out of range, consistent with how other bounds violations are handled in the ext4 extent tree code.

AnalysisAI

Buffer overflow in Linux kernel ext4 filesystem allows local attackers with user interaction to achieve arbitrary code execution via crafted extent tree metadata. The ext4_ext_correct_indexes() function fails to validate index pointer bounds when walking up the extent tree, enabling slab-out-of-bounds memory reads when processing malicious filesystem images. With CVSS 7.8 (high severity) but only 0.02% EPSS (5th percentile), this represents elevated theoretical risk with minimal observed real-world exploitation. Vendor patches available across multiple stable kernel branches (6.12.80, 6.18.21, 6.19.11, 7.0), and no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

The ext4 filesystem uses extent trees to track file block mappings, with index nodes pointing to child extent nodes. The ext4_ext_correct_indexes() function traverses this tree upward to update index entries when leaf extents are modified. The vulnerability occurs because the function accesses path[k].p_idx->ei_block without first verifying that p_idx points within the valid range defined by the extent header's eh_entries field. An attacker controlling on-disk filesystem metadata (via a maliciously crafted ext4 image) can set corrupted eh_entries values causing p_idx to reference memory beyond the allocated buffer. This is a classic bounds check omission in kernel memory management code. The fix validates p_idx against EXT_LAST_INDEX() before dereferencing, returning -EFSCORRUPTED for invalid pointers. This class of vulnerability affects kernel filesystem parsers that trust on-disk metadata without thorough validation, a common attack surface when mounting untrusted storage devices or filesystem images.

RemediationAI

Update to patched Linux kernel versions: 6.12.80 or later for the 6.12.x stable series, 6.18.21+ for 6.18.x, 6.19.11+ for 6.19.x, or 7.0+ for mainline kernels. Patches available at https://git.kernel.org/stable/c/01bf1e0b997d82c0e353b51ed74ef99698043c33 (7.0), https://git.kernel.org/stable/c/2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 (6.19.11), https://git.kernel.org/stable/c/93f2e975ed658ce09db4d4c2877ca2c06540df83 (6.18.21), and https://git.kernel.org/stable/c/407c944f217c17d4343148011acafebc604d55e1 (6.12.80). For systems unable to immediately patch, implement strict controls on filesystem mounting: disable automount of removable media via udev rules, restrict mount privileges to trusted administrators only (remove setuid from mount binaries, enforce PolicyKit restrictions), implement mandatory filesystem integrity checking before mount (fsck with strict validation), and deploy kernel security modules (SELinux, AppArmor) with policies denying unprivileged mount operations. Note that disabling ext4 support entirely via kernel module blacklisting breaks most Linux systems as ext4 is the default root filesystem format. Compensating controls significantly impact usability (users cannot mount USB drives, access external storage) and should be considered temporary measures only until patching is completed.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31449 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy