Skip to main content

Linux Kernel EUVDEUVD-2026-32378

| CVE-2026-45912 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-2r5x-f6hq-8f5p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local trigger via O_DIRECT requiring PR:L write access to ext4; pure availability impact (space accounting corruption) with no confidentiality or integrity exposure.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 15:09 vuln.today
CVSS changed
Jun 24, 2026 - 15:07 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ext4: don't cache extent during splitting extent

Caching extents during the splitting process is risky, as it may result in stale extents remaining in the status tree. Moreover, in most cases, the corresponding extent block entries are likely already cached before the split happens, making caching here not particularly useful.

Assume we have an unwritten extent, and then DIO writes the first half.

[UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree

|<- ->| ----> dio write this range First, when ext4_split_extent_at() splits this extent, it truncates the existing extent and then inserts a new one. During this process, this extent status entry may be shrunk, and calls to ext4_find_extent() and ext4_cache_extents() may occur, which could potentially insert the truncated range as a hole into the extent status tree. After the split is completed, this hole is not replaced with the correct status.

[UUUUUUU|UUUUUUUU] on-disk extent U: unwritten extent [UUUUUUU|HHHHHHHH] extent status tree H: hole

Then, the outer calling functions will not correct this remaining hole extent either. Finally, if we perform a delayed buffer write on this latter part, it will re-insert the delayed extent and cause an error in space accounting.

In adition, if the unwritten extent cache is not shrunk during the splitting, ext4_cache_extents() also conflicts with existing extents when caching extents. In the future, we will add checks when caching extents, which will trigger a warning. Therefore, Do not cache extents that are being split.

AnalysisAI

Ext4 filesystem extent-splitting logic in the Linux kernel incorrectly caches extents mid-operation, leaving stale hole entries in the in-memory extent status tree (ESTree). When a Direct I/O write partially covers a pre-allocated unwritten extent, ext4_split_extent_at() can insert an incorrect hole entry that persists uncorrected, causing space accounting errors when subsequent delayed buffer writes target the same region. No active exploitation has been confirmed (not in CISA KEV), and the EPSS score of 0.02% (7th percentile) reflects negligible real-world exploitation likelihood; this is primarily a kernel correctness and filesystem availability defect rather than a targeted attack surface.

Technical ContextAI

The ext4 filesystem uses an extent-based allocation model tracked in an on-disk B-tree and mirrored in the in-memory extent status tree (ESTree) for performance. Unwritten extents represent fallocate-style pre-allocated regions that have not yet received committed data. When a Direct I/O (O_DIRECT) write covers only part of one of these unwritten extents, ext4_split_extent_at() must split the extent into two: it first truncates the existing ESTree entry and then inserts the new extent. During this window, calls to ext4_find_extent() and ext4_cache_extents() can incorrectly insert the truncated portion as a hole (H) entry into the ESTree. Because the outer calling functions do not correct this stale hole, a subsequent delayed buffer write targeting that range re-inserts a delayed extent entry and triggers erroneous space accounting. The root cause is a logic ordering defect (closest CWE analog: incorrect resource management / improper cache invalidation) rather than a memory safety flaw. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patches exist across all active stable kernel branches; upgrade to one of the following fixed versions matching the installed branch: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or mainline 7.0. The individual stable-branch commits are available at https://git.kernel.org/stable/c/4c2d9dac4d328244f9365b0a1fa27ec802821820, https://git.kernel.org/stable/c/5b1f4290453314e11cd8e15c7baa8a9b76c19b23, https://git.kernel.org/stable/c/692103feca376ae4298c92aa8828015d20f1d87b, https://git.kernel.org/stable/c/8302b5b4aacdbb378f7b1216bb2ee782b5142415, and related commits per the NVD references. As a compensating control on systems where an immediate kernel upgrade is not feasible, avoiding the use of O_DIRECT (O_DIRECT flag / open(2) with O_DIRECT) on ext4 volumes that use fallocate-based pre-allocation eliminates the specific triggering condition; this trade-off reduces I/O throughput and may be incompatible with database workloads (PostgreSQL, MySQL with direct I/O enabled) that rely on O_DIRECT for performance. No other mitigation eliminates the underlying race without the kernel patch.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy