Skip to main content

Linux Kernel EUVDEUVD-2026-32226

| CVE-2026-45942 HIGH
Race Condition (CWE-362)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w5q7-xvcj-p6c8
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:30 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix e4b bitmap inconsistency reports

A bitmap inconsistency issue was observed during stress tests under mixed huge-page workloads. Ext4 reported multiple e4b bitmap check failures like:

ext4_mb_complex_scan_group:2508: group 350, 8179 free clusters as per group info. But got 8192 blocks

Analysis and experimentation confirmed that the issue is caused by a race condition between page migration and bitmap modification. Although this timing window is extremely narrow, it is still hit in practice:

folio_lock ext4_mb_load_buddy __migrate_folio check ref count folio_mc_copy __filemap_get_folio folio_try_get(folio) ...... mb_mark_used ext4_mb_unload_buddy __folio_migrate_mapping folio_ref_freeze folio_unlock

The root cause of this issue is that the fast path of load_buddy only increments the folio's reference count, which is insufficient to prevent concurrent folio migration. We observed that the folio migration process acquires the folio lock. Therefore, we can determine whether to take the fast path in load_buddy by checking the lock status. If the folio is locked, we opt for the slow path (which acquires the lock) to close this concurrency window.

Additionally, this change addresses the following issues:

When the DOUBLE_CHECK macro is enabled to inspect bitmap-related issues, the following error may be triggered:

corruption in group 324 at byte 784(6272): f in copy != ff on disk/prealloc

Analysis reveals that this is a false positive. There is a specific race window where the bitmap and the group descriptor become momentarily inconsistent, leading to this error report:

ext4_mb_load_buddy ext4_mb_load_buddy __filemap_get_folio(create|lock) folio_lock ext4_mb_init_cache folio_mark_uptodate __filemap_get_folio(no lock) ...... mb_mark_used mb_mark_used_double mb_cmp_bitmaps mb_set_bits(e4b->bd_bitmap) folio_unlock

The original logic assumed that since mb_cmp_bitmaps is called when the bitmap is newly loaded from disk, the folio lock would be sufficient to prevent concurrent access. However, this overlooks a specific race condition: if another process attempts to load buddy and finds the folio is already in an uptodate state, it will immediately begin using it without holding folio lock.

AnalysisAI

Filesystem data integrity issue in the Linux kernel ext4 module allows local low-privileged users to trigger bitmap inconsistencies through a race condition between page migration and ext4 buddy bitmap modification under mixed huge-page workloads. The flaw can produce false group descriptor mismatches and corruption of in-memory block allocation state, with high confidentiality, integrity, and availability impact per CVSS 7.8 (AV:L). No public exploit has been identified at time of analysis and EPSS is very low at 0.02%.

Technical ContextAI

The defect lives in fs/ext4/mballoc.c within the multi-block allocator's buddy-cache loading path (ext4_mb_load_buddy). Ext4 caches block bitmap and buddy data in page cache folios; the fast path in load_buddy only increments the folio reference count, which is insufficient to block concurrent folio migration that synchronizes via folio_lock and folio_ref_freeze. A second related race involves mb_cmp_bitmaps assuming the folio lock is held when the page is freshly loaded, but a concurrent loader finding the folio already uptodate can skip the lock and race with mb_set_bits, producing a false DOUBLE_CHECK corruption report. The root cause class is a concurrency/locking defect (improper synchronization, CWE-362 family, though CWE is listed as N/A by NVD); the fix forces the slow path when the folio is locked and tightens lock ordering around the bitmap comparison.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 6.6.130, 6.12.75, 6.18.14, 6.19.4, or 7.0 (or any later stable release on those branches), pulling in the mainline commits referenced above (29a07d69…, 57e83bfb…, bdc56a9c…, c05033cf…, f29709a7…). Distribution users should track their vendor's kernel advisories (RHEL, SUSE, Ubuntu, Debian, Amazon Linux) and apply the next kernel update that backports these commits and reboot, since the change is in core ext4 and cannot be hot-patched via module reload. If immediate patching is not possible, compensating mitigations are limited because the bug is triggered by normal filesystem activity under memory pressure: reducing transparent huge-page activity for ext4-heavy workloads (echo never > /sys/kernel/mm/transparent_hugepage/enabled) and avoiding memory-compaction-heavy tuning can shrink the race window at the cost of memory efficiency and TLB performance, and restricting untrusted local user workloads on affected hosts reduces who can plausibly induce the stress pattern, but neither is a real fix. Migrating critical data volumes to xfs is a heavy-handed alternative that eliminates exposure to ext4-specific allocator bugs but introduces feature and operational differences.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32226 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy