CVE-2026-45892 - Vulnerability Details

- ext4: drop extent cache after doing PARTIAL_VALID1 zeroout

Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: drop extent cache after doing PARTIAL_VALID1 zeroout

When splitting an unwritten extent in the middle and converting it to
initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and
EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.

Assume we have an unwritten file and buffered write in the middle of it
without dioread_nolock enabled, it will allocate blocks as written
extent.

0 A B N
[UUUUUUUUUUUU] on-disk extent U: unwritten extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDD--] D: valid data
|<- ->| ----> this range needs to be initialized

ext4_split_extent() first try to split this extent at B with
EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but
ext4_split_extent_at() failed to split this extent due to temporary lack
of space. It zeroout B to N and leave the entire extent as unwritten.

0 A B N
[UUUUUUUUUUUU] on-disk extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDDZZ] Z: zeroed data

ext4_split_extent() then try to split this extent at A with
EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and
leave an written extent from A to N.

0 A B N
[UUWWWWWWWWWW] on-disk extent W: written extent
[UUUUUUUUUUUU] extent status tree
[--DDDDDDDDZZ]

Finally ext4_map_create_blocks() only insert extent A to B to the extent
status tree, and leave an stale unwritten extent in the status tree.

0 A B N
[UUWWWWWWWWWW] on-disk extent W: written extent
[UUWWWWWWWWUU] extent status tree
[--DDDDDDDDZZ]

Fix this issue by always cached extent status entry after zeroing out
the second part.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the ext4 file system’s extent handling exposes a stale unwritten extent in the status tree after a partial zero‑out operation. The bug occurs when an unwritten file is split during a write; the kernel may leave behind an entry that still records the extent as unwritten, although the corresponding on‑disk data has been initialized. This inconsistency can cause subsequent read or write operations to observe corrupted or lost data, which directly impacts the reliability and integrity of stored files.

Affected Systems

The vulnerability is present in the Linux kernel’s ext4 implementation prior to the patch that removes the stale extent entry. All distributions that ship the kernel version containing this bug, regardless of release series, are affected until the kernel is updated to the fixed revision.

Risk and Exploitability

The exact CVSS score is not supplied, and the EPSS score is unavailable, so the exploitation probability cannot be quantified. The bug is a local‑system flaw that can be triggered by a user able to write to an unwritten file on an ext4 filesystem. Because it results in data corruption rather than code execution, the attack surface is limited to scenarios where the attacker can influence file contents, such as a privileged user or a compromised application. The fix is straightforward, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f0931a5c17005a0c4fc35bd1a001245effc3354b
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< d8ee559fccdef713f058cfe5f2c03dc9b18be3b1
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< c2ee51d684adca7645e4aa74adca13f6750390bc
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a1b962a821e7a52d48212ae269b45808b4411267
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 6d882ea3b0931b43530d44149b79fcd4ffc13030
`0`	affected	< 6.6.130
`0`	affected	< 6.12.75
`0`	affected	< 6.18.14
`0`	affected	< 6.19.4

Linux

affected

Version	Status	Constraints
`6.6.130`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f0931a5c17005a0c4fc35bd1a001245effc3354b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,d8ee559fccdef713f058cfe5f2c03dc9b18be3b1)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,c2ee51d684adca7645e4aa74adca13f6750390bc)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a1b962a821e7a52d48212ae269b45808b4411267)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6d882ea3b0931b43530d44149b79fcd4ffc13030)`	affected	code_commit	—
`[0,6.6.130)`	affected	semver	—
`[0,6.12.75)`	affected	semver	—
`[0,6.18.14)`	affected	semver	—
`[0,6.19.4)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.20.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the ext4 fix that removes stale unwritten extents after a zero‑out operation. This is the most reliable mitigation and should be performed promptly.
If a kernel upgrade is not immediately possible, restrict write access to unwritten files or avoid partial writes by using full‑block writes or applications that write whole files at once. This can reduce the likelihood of the bug being triggered.
Enable file system integrity monitoring (e.g., fsck on boot, or auditd checks) to detect unexpected data corruption early and trigger recovery or alerts.

Generated by OpenCVE AI on May 27, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030
https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267
https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc
https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1
https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b

History

Wed, 27 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-122 CWE-665

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent. Assume we have an unwritten file and buffered write in the middle of it without dioread_nolock enabled, it will allocate blocks as written extent. 0 A B N [UUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDD--] D: valid data \|<- ->\| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and leave the entire extent as unwritten. 0 A B N [UUUUUUUUUUUU] on-disk extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Z: zeroed data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and leave an written extent from A to N. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Finally ext4_map_create_blocks() only insert extent A to B to the extent status tree, and leave an stale unwritten extent in the status tree. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUWWWWWWWWUU] extent status tree [--DDDDDDDDZZ] Fix this issue by always cached extent status entry after zeroing out the second part.
Title		ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030 https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267 https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1 https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:03.175Z

Updated: 2026-05-27T12:17:03.175Z

Reserved: 2026-05-13T15:03:33.083Z

Link: CVE-2026-45892

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:03.353

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45892

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T17:45:32Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object