CVE-2026-45942 (GCVE-0-2026-45942)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:17 – Updated: 2026-05-27 12:17
VLAI
Title
ext4: fix e4b bitmap inconsistency reports
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: fix e4b bitmap inconsistency reports A bitmap inconsistency issue was observed during stress tests under mixed huge-page workloads. Ext4 reported multiple e4b bitmap check failures like: ext4_mb_complex_scan_group:2508: group 350, 8179 free clusters as per group info. But got 8192 blocks Analysis and experimentation confirmed that the issue is caused by a race condition between page migration and bitmap modification. Although this timing window is extremely narrow, it is still hit in practice: folio_lock ext4_mb_load_buddy __migrate_folio check ref count folio_mc_copy __filemap_get_folio folio_try_get(folio) ...... mb_mark_used ext4_mb_unload_buddy __folio_migrate_mapping folio_ref_freeze folio_unlock The root cause of this issue is that the fast path of load_buddy only increments the folio's reference count, which is insufficient to prevent concurrent folio migration. We observed that the folio migration process acquires the folio lock. Therefore, we can determine whether to take the fast path in load_buddy by checking the lock status. If the folio is locked, we opt for the slow path (which acquires the lock) to close this concurrency window. Additionally, this change addresses the following issues: When the DOUBLE_CHECK macro is enabled to inspect bitmap-related issues, the following error may be triggered: corruption in group 324 at byte 784(6272): f in copy != ff on disk/prealloc Analysis reveals that this is a false positive. There is a specific race window where the bitmap and the group descriptor become momentarily inconsistent, leading to this error report: ext4_mb_load_buddy ext4_mb_load_buddy __filemap_get_folio(create|lock) folio_lock ext4_mb_init_cache folio_mark_uptodate __filemap_get_folio(no lock) ...... mb_mark_used mb_mark_used_double mb_cmp_bitmaps mb_set_bits(e4b->bd_bitmap) folio_unlock The original logic assumed that since mb_cmp_bitmaps is called when the bitmap is newly loaded from disk, the folio lock would be sufficient to prevent concurrent access. However, this overlooks a specific race condition: if another process attempts to load buddy and finds the folio is already in an uptodate state, it will immediately begin using it without holding folio lock.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 57e83bfbe1e412ac42daced2086f3c6f9a17bba0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c05033cfc5c7699cd4df8d48cef94d01da755f24 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 29a07d691d282faf38c33d4b61839b89399110f9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f29709a7a3fc38f5015d850504762cdef0e151f9 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < bdc56a9c46b2a99c12313122b9352b619a2e719e (git)
Affected: 0 , < 6.6.130 (semver)
Affected: 0 , < 6.12.75 (semver)
Affected: 0 , < 6.18.14 (semver)
Affected: 0 , < 6.19.4 (semver)
Create a notification for this product.
Linux Linux Unaffected: 6.6.130 , ≤ 6.6.* (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.14 , ≤ 6.18.* (semver)
Unaffected: 6.19.4 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/mballoc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "57e83bfbe1e412ac42daced2086f3c6f9a17bba0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c05033cfc5c7699cd4df8d48cef94d01da755f24",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "29a07d691d282faf38c33d4b61839b89399110f9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f29709a7a3fc38f5015d850504762cdef0e151f9",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "bdc56a9c46b2a99c12313122b9352b619a2e719e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6.6.130",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.75",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.14",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.19.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/mballoc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix e4b bitmap inconsistency reports\n\nA bitmap inconsistency issue was observed during stress tests under\nmixed huge-page workloads. Ext4 reported multiple e4b bitmap check\nfailures like:\n\next4_mb_complex_scan_group:2508: group 350, 8179 free clusters as\nper group info. But got 8192 blocks\n\nAnalysis and experimentation confirmed that the issue is caused by a\nrace condition between page migration and bitmap modification. Although\nthis timing window is extremely narrow, it is still hit in practice:\n\nfolio_lock                        ext4_mb_load_buddy\n__migrate_folio\n  check ref count\n  folio_mc_copy                     __filemap_get_folio\n                                      folio_try_get(folio)\n                                  ......\n                                  mb_mark_used\n                                  ext4_mb_unload_buddy\n  __folio_migrate_mapping\n    folio_ref_freeze\nfolio_unlock\n\nThe root cause of this issue is that the fast path of load_buddy only\nincrements the folio\u0027s reference count, which is insufficient to prevent\nconcurrent folio migration. We observed that the folio migration process\nacquires the folio lock. Therefore, we can determine whether to take the\nfast path in load_buddy by checking the lock status. If the folio is\nlocked, we opt for the slow path (which acquires the lock) to close this\nconcurrency window.\n\nAdditionally, this change addresses the following issues:\n\nWhen the DOUBLE_CHECK macro is enabled to inspect bitmap-related\nissues, the following error may be triggered:\n\ncorruption in group 324 at byte 784(6272): f in copy != ff on\ndisk/prealloc\n\nAnalysis reveals that this is a false positive. There is a specific race\nwindow where the bitmap and the group descriptor become momentarily\ninconsistent, leading to this error report:\n\next4_mb_load_buddy                   ext4_mb_load_buddy\n  __filemap_get_folio(create|lock)\n    folio_lock\n  ext4_mb_init_cache\n    folio_mark_uptodate\n                                     __filemap_get_folio(no lock)\n                                     ......\n                                     mb_mark_used\n                                       mb_mark_used_double\n  mb_cmp_bitmaps\n                                       mb_set_bits(e4b-\u003ebd_bitmap)\n  folio_unlock\n\nThe original logic assumed that since mb_cmp_bitmaps is called when the\nbitmap is newly loaded from disk, the folio lock would be sufficient to\nprevent concurrent access. However, this overlooks a specific race\ncondition: if another process attempts to load buddy and finds the folio\nis already in an uptodate state, it will immediately begin using it without\nholding folio lock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:17:57.950Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/57e83bfbe1e412ac42daced2086f3c6f9a17bba0"
        },
        {
          "url": "https://git.kernel.org/stable/c/c05033cfc5c7699cd4df8d48cef94d01da755f24"
        },
        {
          "url": "https://git.kernel.org/stable/c/29a07d691d282faf38c33d4b61839b89399110f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f29709a7a3fc38f5015d850504762cdef0e151f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/bdc56a9c46b2a99c12313122b9352b619a2e719e"
        }
      ],
      "title": "ext4: fix e4b bitmap inconsistency reports",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45942",
    "datePublished": "2026-05-27T12:17:57.950Z",
    "dateReserved": "2026-05-13T15:03:33.087Z",
    "dateUpdated": "2026-05-27T12:17:57.950Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-45942",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-45942\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-27T14:17:10.427\",\"lastModified\":\"2026-05-27T14:48:03.013\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\next4: fix e4b bitmap inconsistency reports\\n\\nA bitmap inconsistency issue was observed during stress tests under\\nmixed huge-page workloads. Ext4 reported multiple e4b bitmap check\\nfailures like:\\n\\next4_mb_complex_scan_group:2508: group 350, 8179 free clusters as\\nper group info. But got 8192 blocks\\n\\nAnalysis and experimentation confirmed that the issue is caused by a\\nrace condition between page migration and bitmap modification. Although\\nthis timing window is extremely narrow, it is still hit in practice:\\n\\nfolio_lock                        ext4_mb_load_buddy\\n__migrate_folio\\n  check ref count\\n  folio_mc_copy                     __filemap_get_folio\\n                                      folio_try_get(folio)\\n                                  ......\\n                                  mb_mark_used\\n                                  ext4_mb_unload_buddy\\n  __folio_migrate_mapping\\n    folio_ref_freeze\\nfolio_unlock\\n\\nThe root cause of this issue is that the fast path of load_buddy only\\nincrements the folio\u0027s reference count, which is insufficient to prevent\\nconcurrent folio migration. We observed that the folio migration process\\nacquires the folio lock. Therefore, we can determine whether to take the\\nfast path in load_buddy by checking the lock status. If the folio is\\nlocked, we opt for the slow path (which acquires the lock) to close this\\nconcurrency window.\\n\\nAdditionally, this change addresses the following issues:\\n\\nWhen the DOUBLE_CHECK macro is enabled to inspect bitmap-related\\nissues, the following error may be triggered:\\n\\ncorruption in group 324 at byte 784(6272): f in copy != ff on\\ndisk/prealloc\\n\\nAnalysis reveals that this is a false positive. There is a specific race\\nwindow where the bitmap and the group descriptor become momentarily\\ninconsistent, leading to this error report:\\n\\next4_mb_load_buddy                   ext4_mb_load_buddy\\n  __filemap_get_folio(create|lock)\\n    folio_lock\\n  ext4_mb_init_cache\\n    folio_mark_uptodate\\n                                     __filemap_get_folio(no lock)\\n                                     ......\\n                                     mb_mark_used\\n                                       mb_mark_used_double\\n  mb_cmp_bitmaps\\n                                       mb_set_bits(e4b-\u003ebd_bitmap)\\n  folio_unlock\\n\\nThe original logic assumed that since mb_cmp_bitmaps is called when the\\nbitmap is newly loaded from disk, the folio lock would be sufficient to\\nprevent concurrent access. However, this overlooks a specific race\\ncondition: if another process attempts to load buddy and finds the folio\\nis already in an uptodate state, it will immediately begin using it without\\nholding folio lock.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/29a07d691d282faf38c33d4b61839b89399110f9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/57e83bfbe1e412ac42daced2086f3c6f9a17bba0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bdc56a9c46b2a99c12313122b9352b619a2e719e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c05033cfc5c7699cd4df8d48cef94d01da755f24\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f29709a7a3fc38f5015d850504762cdef0e151f9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.