Description
In the Linux kernel, the following vulnerability has been resolved:

iomap: fix invalid folio access when i_blkbits differs from I/O granularity

Commit aa35dd5cbc06 ("iomap: fix invalid folio access after
folio_end_read()") partially addressed invalid folio access for folios
without an ifs attached, but it did not handle the case where
1 << inode->i_blkbits matches the folio size but is different from the
granularity used for the IO, which means IO can be submitted for less
than the full folio for the !ifs case.

In this case, the condition:

if (*bytes_submitted == folio_len)
ctx->cur_folio = NULL;

in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and
iomap_read_end() will still be called on the folio even though the IO
helper owns it and will finish the read on it.

Fix this by unconditionally invalidating ctx->cur_folio for the !ifs
case.
Published: 2026-04-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains an issue in the iomap subsystem that allows an invalid folio to be accessed when the inode block size differs from the I/O granularity. In this scenario the read iterator fails to clear the current folio, causing the end helper to operate on a folio that is still owned by the I/O helper. This mis‑managing of kernel memory can result in corruption of kernel data structures, potentially giving an attacker the ability to execute arbitrary code or crash the system. The weakness stems from improper resource handling and read iterator logic.

Affected Systems

This vulnerability affects all releases of the Linux kernel that contain the faulty code path, until the patch identified by commit aa35dd5cbc06 is applied. The affected systems are any Linux installations running a kernel prior to this commit, regardless of distribution or architecture, because the flaw resides in core kernel files.

Risk and Exploitability

The CVSS score of 9.8 indicates high severity, but the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in CISA KEV. Although known exploits are not publicly documented, the potential for kernel memory corruption makes this a high‑consequence issue. Based on the description, it is inferred that the likely attack vector involves the attacker triggering a read of a file with block size configuration that mismatches the system's I/O granularity, requiring local or privileged access. Therefore, the vulnerability should be regarded as high‑risk until the fix is applied.

Generated by OpenCVE AI on May 7, 2026 at 21:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes commit aa35dd5cbc06, which unconditionally invalidates ctx->cur_folio for the non‑IFS case.
  • Apply the patch directly to custom kernel builds, ensuring the code follows CWE‑821 guidelines for memory reference validation.
  • After updating, conduct targeted I/O read tests on files with block sizes differing from the system's I/O granularity to verify that no invalid folio accesses occur.

Generated by OpenCVE AI on May 7, 2026 at 21:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Thu, 07 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-821
References

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665
CWE-682

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: iomap: fix invalid folio access when i_blkbits differs from I/O granularity Commit aa35dd5cbc06 ("iomap: fix invalid folio access after folio_end_read()") partially addressed invalid folio access for folios without an ifs attached, but it did not handle the case where 1 << inode->i_blkbits matches the folio size but is different from the granularity used for the IO, which means IO can be submitted for less than the full folio for the !ifs case. In this case, the condition: if (*bytes_submitted == folio_len) ctx->cur_folio = NULL; in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and iomap_read_end() will still be called on the folio even though the IO helper owns it and will finish the read on it. Fix this by unconditionally invalidating ctx->cur_folio for the !ifs case.
Title iomap: fix invalid folio access when i_blkbits differs from I/O granularity
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:12.840Z

Reserved: 2026-03-09T15:48:24.092Z

Link: CVE-2026-31463

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:42.323

Modified: 2026-05-07T18:30:03.400

Link: CVE-2026-31463

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31463 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:00:12Z

Weaknesses