Skip to main content

Linux Kernel CVE-2026-46080

| EUVDEUVD-2026-32463 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-8mmh-cvrq-r3x6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local low-privilege write access to an OCFS2 volume is sufficient to trigger credit exhaustion; no confidentiality or integrity impact applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:28 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: split transactions in dio completion to avoid credit exhaustion

During ocfs2 dio operations, JBD2 may report warnings via following call trace: ocfs2_dio_end_io_write ocfs2_mark_extent_written ocfs2_change_extent_flag ocfs2_split_extent ocfs2_try_to_merge_extent ocfs2_extend_rotate_transaction ocfs2_extend_trans jbd2__journal_restart start_this_handle output: JBD2: kworker/6:2 wants too many credits credits:5450 rsv_credits:0 max:5449

To prevent exceeding the credits limit, modify ocfs2_dio_end_io_write() to handle extents in a batch of transaction.

Additionally, relocate ocfs2_del_inode_from_orphan(). The orphan inode should only be removed from the orphan list after the extent tree update is complete. This ensures that if a crash occurs in the middle of extent tree updates, we won't leave stale blocks beyond EOF.

This patch also changes the logic for updating the inode size and removing orphan, making it similar to ext4_dio_write_end_io(). Both operations are performed only when everything looks good.

Finally, thanks to Jans and Joseph for providing the bug fix prototype and suggestions.

AnalysisAI

Credit exhaustion in the OCFS2 DIO completion path of the Linux kernel can cause the JBD2 journaling layer to exceed its maximum transaction credit limit, resulting in kernel warnings and a high-availability denial-of-service condition. Systems running the Linux kernel with the OCFS2 cluster filesystem configured for direct I/O workloads across multiple stable branches (6.6.x, 6.12.x, 6.18.x, 7.0.x) are affected. A local attacker with low privileges and write access to an OCFS2 volume can trigger complex extent tree merges that request more than 5449 JBD2 credits, destabilizing the filesystem journal. No public exploit is identified at time of analysis, and EPSS sits at the 5th percentile, reflecting very low real-world exploitation probability.

Technical ContextAI

OCFS2 (Oracle Cluster Filesystem 2) is a shared-disk cluster filesystem integrated into the Linux kernel, using JBD2 as its journaling layer. JBD2 uses a credit pre-allocation model where each filesystem operation must reserve a fixed number of journal block slots before proceeding; the per-journal maximum is 5449 credits. The vulnerable path begins in ocfs2_dio_end_io_write(), which handles completion of direct I/O writes by calling ocfs2_mark_extent_written() to transition extents from unwritten to written state. Under certain fragmentation patterns, ocfs2_split_extent() invokes ocfs2_try_to_merge_extent(), which in turn calls ocfs2_extend_rotate_transaction() to request additional credits mid-transaction. The cumulative credit demand can exceed the JBD2 maximum (observed at 5450 vs. the 5449 limit), causing start_this_handle() to fail with a warning. The fix batches extent processing within bounded transaction slices and repositions the orphan inode removal to occur only after a successful extent tree update, preventing stale blocks beyond EOF on crash. No CWE is formally assigned, but the root cause is a resource management defect in transaction credit accounting - analogous to CWE-400 (Uncontrolled Resource Consumption). CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel version: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 or later. Patches are available via the kernel.org stable trees at https://git.kernel.org/stable/c/069c3fb310e9336cf48cfdf8748a32c29fd0193d and related commits listed in the references. If immediate kernel upgrade is not feasible, the most effective compensating control is to avoid OCFS2 for workloads involving heavy direct I/O writes with highly fragmented extents; switching to buffered I/O prevents the ocfs2_dio_end_io_write code path from being triggered, eliminating the vulnerability at the cost of reduced I/O performance for those workloads. Alternatively, if OCFS2 is not required, unmounting and disabling the OCFS2 module (modprobe -r ocfs2) entirely removes exposure with no side effects for systems not relying on cluster filesystem functionality. Systems not using OCFS2 require no action.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy