Skip to main content

Linux Kernel EUVDEUVD-2026-24791

| CVE-2026-31452 HIGH
Out-of-bounds Write (CWE-787)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-g495-4jqx-cp59
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 06, 2026 - 22:37 vuln.today
CVSS changed
May 06, 2026 - 20:22 NVD
7.8 (HIGH)
Patch released
Apr 23, 2026 - 16:17 nvd
Patch available
Patch available
Apr 22, 2026 - 16:02 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24791
CVE Published
Apr 22, 2026 - 14:16 nvd
N/A
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ext4: convert inline data to extents when truncate exceeds inline size

Add a check in ext4_setattr() to convert files from inline data storage to extent-based storage when truncate() grows the file size beyond the inline capacity. This prevents the filesystem from entering an inconsistent state where the inline data flag is set but the file size exceeds what can be stored inline.

Without this fix, the following sequence causes a kernel BUG_ON():

  1. Mount filesystem with inode that has inline flag set and small size
  2. truncate(file, 50MB) - grows size but inline flag remains set
  3. sendfile() attempts to write data
  4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity)

The crash occurs because ext4_write_inline_data() expects inline storage to accommodate the write, but the actual inline capacity (~60 bytes for i_block + ~96 bytes for xattrs) is far smaller than the file size and write request.

The fix checks if the new size from setattr exceeds the inode's actual inline capacity (EXT4_I(inode)->i_inline_size) and converts the file to extent-based storage before proceeding with the size change.

This addresses the root cause by ensuring the inline data flag and file size remain consistent during truncate operations.

AnalysisAI

Local privilege escalation in Linux Kernel ext4 filesystem allows authenticated users to trigger kernel crashes and potentially execute arbitrary code with high privileges. The vulnerability stems from improper handling of inline data conversion when truncate() operations exceed inline storage capacity in ext4 filesystems. Affected kernel versions include mainline through 7.0-rc3 and stable branches 5.10.x through 6.19.x, with vendor patches available across all active kernel series. EPSS exploitation probability is very low (0.02%, 7th percentile) and no public exploit identified at time of analysis, though CVSS 7.8 reflects high local impact if exploited.

Technical ContextAI

This vulnerability affects the ext4 filesystem's inline data feature, which stores small file contents directly within the inode structure rather than allocating separate data blocks. The ext4 inline data implementation stores approximately 60 bytes in the i_block array plus up to 96 bytes in extended attributes for small files to optimize storage and performance. The flaw (CWE-787: Out-of-bounds Write) occurs in the ext4_setattr() function when truncate() system calls expand file size beyond inline capacity without converting to extent-based storage. This creates a state inconsistency where EXT4_INLINE_DATA_FL flag remains set but inode->i_size exceeds the actual inline capacity tracked in EXT4_I(inode)->i_inline_size. Subsequent write operations via sendfile() or other paths invoke ext4_write_inline_data(), which enforces a BUG_ON() assertion when write size exceeds inline capacity, causing immediate kernel panic. The affected code path spans inode attribute modification, inline data management, and filesystem consistency enforcement mechanisms within the ext4 driver.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.253 or later for 5.10.x series, 5.15.203 or later for 5.15.x, 6.1.168 or later for 6.1.x, 6.6.131 or later for 6.6.x, 6.12.80 or later for 6.12.x, 6.18.21 or later for 6.18.x, 6.19.11 or later for 6.19.x, or upgrade to mainline 7.0. Patches available from https://git.kernel.org/stable with specific commits referenced in official advisories at https://nvd.nist.gov/vuln/detail/CVE-2026-31452. For systems unable to immediately patch, consider disabling ext4 inline data feature by remounting filesystems with '-o noinline_data' mount option, though this requires unmounting and may impact small file performance; verify application compatibility before deploying as the mount option change persists in fstab and affects all files created subsequently. In multi-tenant environments, implement stricter local user quotas and monitoring for abnormal truncate() patterns on ext4 filesystems as a detection control, though this does not prevent exploitation. No effective runtime workaround exists without kernel patch or filesystem remount.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy