CVE-2026-45912 (GCVE-0-2026-45912)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-27 12:17
VLAI
Title
ext4: don't cache extent during splitting extent
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: don't cache extent during splitting extent Caching extents during the splitting process is risky, as it may result in stale extents remaining in the status tree. Moreover, in most cases, the corresponding extent block entries are likely already cached before the split happens, making caching here not particularly useful. Assume we have an unwritten extent, and then DIO writes the first half. [UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree |<- ->| ----> dio write this range First, when ext4_split_extent_at() splits this extent, it truncates the existing extent and then inserts a new one. During this process, this extent status entry may be shrunk, and calls to ext4_find_extent() and ext4_cache_extents() may occur, which could potentially insert the truncated range as a hole into the extent status tree. After the split is completed, this hole is not replaced with the correct status. [UUUUUUU|UUUUUUUU] on-disk extent U: unwritten extent [UUUUUUU|HHHHHHHH] extent status tree H: hole Then, the outer calling functions will not correct this remaining hole extent either. Finally, if we perform a delayed buffer write on this latter part, it will re-insert the delayed extent and cause an error in space accounting. In adition, if the unwritten extent cache is not shrunk during the splitting, ext4_cache_extents() also conflicts with existing extents when caching extents. In the future, we will add checks when caching extents, which will trigger a warning. Therefore, Do not cache extents that are being split.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8302b5b4aacdbb378f7b1216bb2ee782b5142415 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 692103feca376ae4298c92aa8828015d20f1d87b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c2d9dac4d328244f9365b0a1fa27ec802821820 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 96007fd3c106aea773c1afae2d6f64cceb6da208 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5b1f4290453314e11cd8e15c7baa8a9b76c19b23 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9a2b95cdaf07785e2739199037bd9c0863ccc1be (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79 (git)
Affected: 0 , < 5.10.252 (semver)
Affected: 0 , < 5.15.202 (semver)
Affected: 0 , < 6.1.165 (semver)
Affected: 0 , < 6.6.128 (semver)
Affected: 0 , < 6.12.75 (semver)
Affected: 0 , < 6.18.14 (semver)
Affected: 0 , < 6.19.4 (semver)
Create a notification for this product.
Linux Linux Unaffected: 5.10.252 , ≤ 5.10.* (semver)
Unaffected: 5.15.202 , ≤ 5.15.* (semver)
Unaffected: 6.1.165 , ≤ 6.1.* (semver)
Unaffected: 6.6.128 , ≤ 6.6.* (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.14 , ≤ 6.18.* (semver)
Unaffected: 6.19.4 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/extents.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8302b5b4aacdbb378f7b1216bb2ee782b5142415",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "692103feca376ae4298c92aa8828015d20f1d87b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c2d9dac4d328244f9365b0a1fa27ec802821820",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "96007fd3c106aea773c1afae2d6f64cceb6da208",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5b1f4290453314e11cd8e15c7baa8a9b76c19b23",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9a2b95cdaf07785e2739199037bd9c0863ccc1be",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5.10.252",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.15.202",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.1.165",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.128",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.75",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.14",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/extents.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.252",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.202",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.252",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.202",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.165",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.128",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: don\u0027t cache extent during splitting extent\n\nCaching extents during the splitting process is risky, as it may result\nin stale extents remaining in the status tree. Moreover, in most cases,\nthe corresponding extent block entries are likely already cached before\nthe split happens, making caching here not particularly useful.\n\nAssume we have an unwritten extent, and then DIO writes the first half.\n\n  [UUUUUUUUUUUUUUUU] on-disk extent        U: unwritten extent\n  [UUUUUUUUUUUUUUUU] extent status tree\n  |\u003c-   -\u003e| ----\u003e dio write this range\n\nFirst, when ext4_split_extent_at() splits this extent, it truncates the\nexisting extent and then inserts a new one. During this process, this\nextent status entry may be shrunk, and calls to ext4_find_extent() and\next4_cache_extents() may occur, which could potentially insert the\ntruncated range as a hole into the extent status tree. After the split\nis completed, this hole is not replaced with the correct status.\n\n  [UUUUUUU|UUUUUUUU] on-disk extent        U: unwritten extent\n  [UUUUUUU|HHHHHHHH] extent status tree    H: hole\n\nThen, the outer calling functions will not correct this remaining hole\nextent either. Finally, if we perform a delayed buffer write on this\nlatter part, it will re-insert the delayed extent and cause an error in\nspace accounting.\n\nIn adition, if the unwritten extent cache is not shrunk during the\nsplitting, ext4_cache_extents() also conflicts with existing extents\nwhen caching extents. In the future, we will add checks when caching\nextents, which will trigger a warning. Therefore, Do not cache extents\nthat are being split."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:17:27.805Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8302b5b4aacdbb378f7b1216bb2ee782b5142415"
        },
        {
          "url": "https://git.kernel.org/stable/c/692103feca376ae4298c92aa8828015d20f1d87b"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c2d9dac4d328244f9365b0a1fa27ec802821820"
        },
        {
          "url": "https://git.kernel.org/stable/c/93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036"
        },
        {
          "url": "https://git.kernel.org/stable/c/96007fd3c106aea773c1afae2d6f64cceb6da208"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b1f4290453314e11cd8e15c7baa8a9b76c19b23"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a2b95cdaf07785e2739199037bd9c0863ccc1be"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79"
        }
      ],
      "title": "ext4: don\u0027t cache extent during splitting extent",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45912",
    "datePublished": "2026-05-27T12:17:27.805Z",
    "dateReserved": "2026-05-13T15:03:33.085Z",
    "dateUpdated": "2026-05-27T12:17:27.805Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45912",
      "date": "2026-05-29",
      "epss": "0.00024",
      "percentile": "0.07393"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45912\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:05.867\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: don\u0027t cache extent during splitting extent\\n\\nCaching extents during the splitting process is risky, as it may result\\nin stale extents remaining in the status tree. Moreover, in most cases,\\nthe corresponding extent block entries are likely already cached before\\nthe split happens, making caching here not particularly useful.\\n\\nAssume we have an unwritten extent, and then DIO writes the first half.\\n\\n  [UUUUUUUUUUUUUUUU] on-disk extent        U: unwritten extent\\n  [UUUUUUUUUUUUUUUU] extent status tree\\n  |\u003c-   -\u003e| ----\u003e dio write this range\\n\\nFirst, when ext4_split_extent_at() splits this extent, it truncates the\\nexisting extent and then inserts a new one. During this process, this\\nextent status entry may be shrunk, and calls to ext4_find_extent() and\\next4_cache_extents() may occur, which could potentially insert the\\ntruncated range as a hole into the extent status tree. After the split\\nis completed, this hole is not replaced with the correct status.\\n\\n  [UUUUUUU|UUUUUUUU] on-disk extent        U: unwritten extent\\n  [UUUUUUU|HHHHHHHH] extent status tree    H: hole\\n\\nThen, the outer calling functions will not correct this remaining hole\\nextent either. Finally, if we perform a delayed buffer write on this\\nlatter part, it will re-insert the delayed extent and cause an error in\\nspace accounting.\\n\\nIn adition, if the unwritten extent cache is not shrunk during the\\nsplitting, ext4_cache_extents() also conflicts with existing extents\\nwhen caching extents. In the future, we will add checks when caching\\nextents, which will trigger a warning. Therefore, Do not cache extents\\nthat are being split.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4c2d9dac4d328244f9365b0a1fa27ec802821820\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5b1f4290453314e11cd8e15c7baa8a9b76c19b23\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/692103feca376ae4298c92aa8828015d20f1d87b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8302b5b4aacdbb378f7b1216bb2ee782b5142415\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/96007fd3c106aea773c1afae2d6f64cceb6da208\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a2b95cdaf07785e2739199037bd9c0863ccc1be\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.