Skip to main content

Linux Kernel EUVDEUVD-2026-32386

| CVE-2026-45920 HIGH
Double Free (CWE-415)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-r62x-r6m8-28mx
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
3.6 LOW

Local access and a narrow shutdown/error race (AC:H), low privilege to induce shutdown (PR:L); effect is counter corruption and a warning, so no confidentiality and only limited integrity/availability impact.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:39 vuln.today
CVSS changed
Jun 24, 2026 - 17:38 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix dirtyclusters double decrement on fs shutdown

fstests test generic/388 occasionally reproduces a warning in ext4_put_super() associated with the dirty clusters count:

WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]

Tracing the failure shows that the warning fires due to an s_dirtyclusters_counter value of -1. IOW, this appears to be a spurious decrement as opposed to some sort of leak. Further tracing of the dirty cluster count deltas and an LLM scan of the resulting output identified the cause as a double decrement in the error path between ext4_mb_mark_diskspace_used() and the caller ext4_mb_new_blocks().

First, note that generic/388 is a shutdown vs. fsstress test and so produces a random set of operations and shutdown injections. In the problematic case, the shutdown triggers an error return from the ext4_handle_dirty_metadata() call(s) made from ext4_mb_mark_context(). The changed value is non-zero at this point, so ext4_mb_mark_diskspace_used() does not exit after the error bubbles up from ext4_mb_mark_context(). Instead, the former decrements both cluster counters and returns the error up to ext4_mb_new_blocks(). The latter falls into the !ar->len out path which decrements the dirty clusters counter a second time, creating the inconsistency.

To avoid this problem and simplify ownership of the cluster reservation in this codepath, lift the counter reduction to a single place in the caller. This makes it more clear that ext4_mb_new_blocks() is responsible for acquiring cluster reservation (via ext4_claim_free_clusters()) in the !delalloc case as well as releasing it, regardless of whether it ends up consumed or returned due to failure.

AnalysisAI

Local denial-of-condition in the Linux kernel ext4 filesystem driver allows an internal counter (s_dirtyclusters_counter) to be double-decremented to -1 along the block-allocation error path that triggers during filesystem shutdown, surfacing as a WARNING in ext4_put_super(). The flaw lives between ext4_mb_mark_diskspace_used() and ext4_mb_new_blocks(), where a metadata-write failure causes the dirty-clusters reservation to be released twice. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%, 7th percentile); despite the CWE-415 (double free) classification and a 7.8 CVSS, the observed effect is cluster-accounting corruption rather than demonstrated memory corruption.

Technical ContextAI

The bug is in the ext4 multi-block allocator (mballoc), specifically the non-delalloc allocation path. ext4 tracks reserved-but-not-yet-written disk space via the per-superblock s_dirtyclusters_counter. When ext4_mb_mark_context() returns an error from ext4_handle_dirty_metadata() (as happens under an injected filesystem shutdown), ext4_mb_mark_diskspace_used() already decrements both cluster counters and propagates the error; the caller ext4_mb_new_blocks() then enters its !ar->len cleanup path and decrements the dirty-clusters counter a second time. CWE-415 (Double Free) is the root-cause class - ownership of the reservation resource was ambiguous across the callee/caller boundary, so the same logical resource is released twice. The CPE data identifies only one product line, cpe:2.3:o:linux:linux_kernel (versions enumerated separately), confirming this is a kernel-internal defect rather than a userspace-facing component.

RemediationAI

Vendor-released patch: upgrade to a fixed stable kernel - 5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.75, 6.18.14, or 6.19.4 (or later within your series), matching the fix commits at git.kernel.org/stable (e.g. https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20). For distribution kernels, apply the vendor backport once published rather than the upstream commit directly. No standalone configuration workaround disables this code path because the dirty-clusters accounting is intrinsic to normal ext4 block allocation; the only meaningful compensating control is to reduce exposure to forced/abrupt filesystem shutdown conditions (e.g. ensure clean unmounts, stable storage backing) since the bug manifests on the shutdown error path, but this does not eliminate the defect and is no substitute for patching. Given low real-world risk, schedule this within standard kernel maintenance windows.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy