Description
In the Linux kernel, the following vulnerability has been resolved:

ext4: drop extent cache after doing PARTIAL_VALID1 zeroout

When splitting an unwritten extent in the middle and converting it to
initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and
EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.

Assume we have an unwritten file and buffered write in the middle of it
without dioread_nolock enabled, it will allocate blocks as written
extent.

0 A B N
[UUUUUUUUUUUU] on-disk extent U: unwritten extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDD--] D: valid data
|<- ->| ----> this range needs to be initialized

ext4_split_extent() first try to split this extent at B with
EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but
ext4_split_extent_at() failed to split this extent due to temporary lack
of space. It zeroout B to N and leave the entire extent as unwritten.

0 A B N
[UUUUUUUUUUUU] on-disk extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDDZZ] Z: zeroed data

ext4_split_extent() then try to split this extent at A with
EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and
leave an written extent from A to N.

0 A B N
[UUWWWWWWWWWW] on-disk extent W: written extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDDZZ]

Finally ext4_map_create_blocks() only insert extent A to B to the extent
status tree, and leave an stale unwritten extent in the status tree.

0 A B N
[UUWWWWWWWWWW] on-disk extent W: written extent
[UUWWWWWWWWUU] extent status tree
[--DDDDDDDDZZ]

Fix this issue by always cached extent status entry after zeroing out
the second part.
Published: 2026-05-27
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw arises from ext4’s handling of unwritten extents during a partial zero‑out operation. When the kernel splits an unwritten extent in the middle and a temporary failure occurs, it leaves a stale unwritten extent entry in the on‑disk extent status tree. A later successful split creates a written extent over the same region, but the stale entry remains, causing a mismatch between the on‑disk data and the filesystem metadata. This can result in corrupted reads or writes to the affected file, directly damaging file integrity. The defect does not provide code execution or privilege escalation; it is purely a data corruption flaw. The likely attack vector, inferred from the description, is a local write to an unwritten file, as the kernel path that manages extents requires sufficient privilege to modify file metadata.

Affected Systems

The vulnerability exists in all Linux kernels that include the ext4 file system with the unpatched extent‑split logic. Any distribution shipping a kernel containing this code path—regardless of release series—remains vulnerable until the fixed revision is installed. Exact affected version ranges are not disclosed in the vulnerability data, so administrators should treat any kernel prior to the patch as vulnerable.

Risk and Exploitability

The CVSS score of 7.0 indicates medium severity, and the EPSS score of <1% shows a very low likelihood of exploitation. Inferred from the description, the defect is a local‑system vulnerability that requires write access to an unwritten file; an attacker with local or privileged access can trigger it. The vulnerability does not grant denial of service or code execution, but it can corrupt data, potentially leading to application failures. It is not listed in CISA’s KEV catalog, implying no known widespread exploitation to date.

Generated by OpenCVE AI on May 28, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that contains the ext4 patch that removes stale unwritten extent entries after a zero‑out operation.
  • If an immediate kernel upgrade is not feasible, avoid performing partial zero‑out writes on unwritten files; instead, write full files atomically or flush data using complete writes to prevent the bug from being triggered.
  • Run regular filesystem integrity checks, such as fsck or auditd monitoring, to detect and repair any corruption that may arise from the vulnerability.

Generated by OpenCVE AI on May 28, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-665

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-665

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent. Assume we have an unwritten file and buffered write in the middle of it without dioread_nolock enabled, it will allocate blocks as written extent. 0 A B N [UUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDD--] D: valid data |<- ->| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and leave the entire extent as unwritten. 0 A B N [UUUUUUUUUUUU] on-disk extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Z: zeroed data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and leave an written extent from A to N. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Finally ext4_map_create_blocks() only insert extent A to B to the extent status tree, and leave an stale unwritten extent in the status tree. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUWWWWWWWWUU] extent status tree [--DDDDDDDDZZ] Fix this issue by always cached extent status entry after zeroing out the second part.
Title ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-30T10:41:42.703Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45892

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.353

Modified: 2026-06-17T10:52:41.013

Link: CVE-2026-45892

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45892 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T17:30:15Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition