Description
In the Linux kernel, the following vulnerability has been resolved:

iomap: fix invalid folio access when i_blkbits differs from I/O granularity

Commit aa35dd5cbc06 ("iomap: fix invalid folio access after
folio_end_read()") partially addressed invalid folio access for folios
without an ifs attached, but it did not handle the case where
1 << inode->i_blkbits matches the folio size but is different from the
granularity used for the IO, which means IO can be submitted for less
than the full folio for the !ifs case.

In this case, the condition:

if (*bytes_submitted == folio_len)
ctx->cur_folio = NULL;

in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and
iomap_read_end() will still be called on the folio even though the IO
helper owns it and will finish the read on it.

Fix this by unconditionally invalidating ctx->cur_folio for the !ifs
case.
Published: 2026-04-22
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Kernel memory corruption could lead to arbitrary code execution or denial of service.
Action: Immediate Patch
AI Analysis

Impact

The Linux kernel contains an issue in the iomap subsystem that allows an invalid folio to be accessed when the inode block size differs from the I/O granularity. In this scenario the read iterator fails to clear the current folio, causing the end helper to operate on a folio that is still owned by the I/O helper. This mismanaging of kernel memory can result in corruption of kernel data structures, potentially giving an attacker the ability to execute arbitrary code or crash the system. The weakness stems from improper resource handling and read iterator logic.

Affected Systems

This vulnerability affects all releases of the Linux kernel in which the faulty code path exists, until the patch identified by commit aa35dd5cbc06 is applied. The affected systems are any Linux installations running a kernel prior to this commit, regardless of distribution or architecture, because the flaw resides in core kernel files. The exact version range cannot be listed because the data does not provide a version list.

Risk and Exploitability

No CVSS or EPSS scores are available, and the issue is not listed in CISA KEV. The lack of publicly documented exploitation reduces immediate risk, but kernel memory corruption remains a high‑consequence issue. The likely attack vector requires the attacker to cause the kernel to read from a file whose block size configuration triggers the mis‑aligned i_blkbits pattern, which implies local or privileged access. Consequently, the vulnerability should be treated as a high‑risk kernel issue until the relevant patch is deployed.

Generated by OpenCVE AI on April 22, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes commit aa35dd5cbc06, which unconditionally invalidates ctx->cur_folio for the non‑IFS case.
  • If using a custom kernel, recompile the kernel with the patch commit applied.
  • As a short‑term measure, avoid performing I/O operations on files whose block sizes do not match the system's I/O granularity until the kernel is updated.

Generated by OpenCVE AI on April 22, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iomap: fix invalid folio access when i_blkbits differs from I/O granularity Commit aa35dd5cbc06 ("iomap: fix invalid folio access after folio_end_read()") partially addressed invalid folio access for folios without an ifs attached, but it did not handle the case where 1 << inode->i_blkbits matches the folio size but is different from the granularity used for the IO, which means IO can be submitted for less than the full folio for the !ifs case. In this case, the condition: if (*bytes_submitted == folio_len) ctx->cur_folio = NULL; in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and iomap_read_end() will still be called on the folio even though the IO helper owns it and will finish the read on it. Fix this by unconditionally invalidating ctx->cur_folio for the !ifs case.
Title iomap: fix invalid folio access when i_blkbits differs from I/O granularity
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-22T13:53:54.224Z

Reserved: 2026-03-09T15:48:24.092Z

Link: CVE-2026-31463

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:42.323

Modified: 2026-04-23T16:17:41.280

Link: CVE-2026-31463

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31463 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:30:26Z

Weaknesses