Skip to main content

Linux Kernel EUVDEUVD-2026-32324

| CVE-2026-45858 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pqwg-4rrm-3fg7
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.8 MEDIUM

AC:H because trigger requires transient ENOSPC precisely during extent splitting; C:L and I:L added because description confirms stale prior-allocation data becomes readable and filesystem data integrity is silently corrupted.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:26 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:16 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1

When allocating initialized blocks from a large unwritten extent, or when splitting an unwritten extent during end I/O and converting it to initialized, there is currently a potential issue of stale data if the extent needs to be split in the middle.

0 A B N [UUUUUUUUUUUU] U: unwritten extent [--DDDDDDDD--] D: valid data

|<- ->| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_ENTIRE_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and mark the entire extent from 0 to N as written.

0 A B N [WWWWWWWWWWWW] W: written extent [SSDDDDDDDDZZ] Z: zeroed, S: stale data

ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and left a stale written extent from 0 to A.

0 A B N [WW|WWWWWWWWWW] [SS|DDDDDDDDZZ]

Fix this by pass EXT4_EXT_DATA_PARTIAL_VALID1 to ext4_split_extent_at() when splitting at B, don't convert the entire extent to written and left it as unwritten after zeroing out B to N. The remaining work is just like the standard two-part split. ext4_split_extent() will pass the EXT4_EXT_DATA_VALID2 flag when it calls ext4_split_extent_at() for the second time, allowing it to properly handle the split. If the split is successful, it will keep extent from 0 to A as unwritten.

AnalysisAI

Stale data exposure and filesystem data corruption in the Linux kernel's ext4 extent-splitting subsystem affects all major stable branches prior to 6.6.130, 6.12.75, 6.18.14, 6.19.4, and 7.0. When ext4_split_extent_at() encounters a transient ENOSPC condition while splitting a large unwritten extent at its first boundary, the error path incorrectly zeroes out and marks the entire extent as written - leaving stale disk content from adjacent regions readable in areas that should remain unwritten or zero-filled. No public exploit identified at time of analysis; EPSS at 0.02% (5th percentile) reflects the narrow, local-only, condition-dependent trigger path that makes automated or widespread exploitation highly unlikely.

Technical ContextAI

The vulnerability resides in the ext4 filesystem's extent tree management subsystem, specifically in the interaction between ext4_split_extent() and ext4_split_extent_at() within the Linux kernel. Ext4 extents exist in two states: 'unwritten' (allocated but not yet initialized to the application) and 'written' (fully initialized). During I/O completion, when only a subrange [A, B] of a larger unwritten extent [0, N] is being converted to written, ext4_split_extent() must split the extent at two boundaries. If the first split at B fails due to transient ENOSPC, the existing error path invokes zero-out on the B-to-N range and then propagates EXT4_EXT_DATA_ENTIRE_VALID1, incorrectly marking the full 0-to-N extent as written. This leaves the 0-to-A region - which contains stale on-disk data from previous allocations - now accessible as a written (initialized) extent. The fix changes the flag passed on failure to EXT4_EXT_DATA_PARTIAL_VALID1, preventing the premature initialized conversion and preserving correct two-step split semantics. CPE cpe:2.3:o:linux:linux_kernel:* confirms all Linux kernel versions from initial commits are within scope until the respective stable fixes.

RemediationAI

Vendor-released patches are available: upgrade to Linux kernel 6.6.130 or later (6.6 LTS), 6.12.75 or later (6.12 LTS), 6.18.14 or later (6.18 branch), 6.19.4 or later (6.19 branch), or 7.0+ for mainline. Linux distribution vendors (Red Hat, Ubuntu, SUSE, Debian) will carry these fixes in their respective kernel update streams - check vendor-specific errata. If an immediate kernel upgrade is not feasible, compensating controls are limited in scope: restrict local user write access to ext4 volumes containing sensitive data to reduce the potential for stale-data disclosure; monitor and maintain adequate free space on ext4 volumes to reduce the probability of ENOSPC during extent splitting; and audit which unprivileged users have write access to shared ext4 mounts. These mitigations reduce trigger probability but do not eliminate the underlying code defect and carry operational trade-offs (reduced user flexibility, storage management overhead). Migrating workloads to non-ext4 filesystems such as XFS or Btrfs eliminates exposure entirely but introduces significant migration complexity.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy