CVE-2026-45912 - Vulnerability Details

- ext4: don't cache extent during splitting extent

Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: don't cache extent during splitting extent

Caching extents during the splitting process is risky, as it may result
in stale extents remaining in the status tree. Moreover, in most cases,
the corresponding extent block entries are likely already cached before
the split happens, making caching here not particularly useful.

Assume we have an unwritten extent, and then DIO writes the first half.

[UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent
[UUUUUUUUUUUUUUUU] extent status tree
|<- ->| ----> dio write this range

First, when ext4_split_extent_at() splits this extent, it truncates the
existing extent and then inserts a new one. During this process, this
extent status entry may be shrunk, and calls to ext4_find_extent() and
ext4_cache_extents() may occur, which could potentially insert the
truncated range as a hole into the extent status tree. After the split
is completed, this hole is not replaced with the correct status.

[UUUUUUU|UUUUUUUU] on-disk extent U: unwritten extent
[UUUUUUU|HHHHHHHH] extent status tree H: hole

Then, the outer calling functions will not correct this remaining hole
extent either. Finally, if we perform a delayed buffer write on this
latter part, it will re-insert the delayed extent and cause an error in
space accounting.

In adition, if the unwritten extent cache is not shrunk during the
splitting, ext4_cache_extents() also conflicts with existing extents
when caching extents. In the future, we will add checks when caching
extents, which will trigger a warning. Therefore, Do not cache extents
that are being split.

Published: 2026-05-27

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in the Linux kernel’s ext4 file system prevents proper caching of extents during the split operation. When an unwritten extent is divided, the status tree can be left with a hole that is not corrected, and subsequent delayed buffer writes may re‑insert the wrong extent data. This mismatch silently corrupts the file system’s space accounting, potentially leading to data loss, corrupted files, or unexpected file system behavior. The weakness stems from improper handling of cached extents and can compromise file integrity and availability.

Affected Systems

This vulnerability affects all Linux kernel builds containing the ext4 filesystem, as indicated by the generic Linux kernel CPE. Any system running a kernel version that has not yet incorporated the patch from commit 4c2d9dac4d328244f9365b0a1fa27ec802821820 and related fixes is susceptible.

Risk and Exploitability

With a CVSS score of 7.0, the defect allows an attacker with the ability to write files to the underlying ext4 volume to cause subtle metadata corruption. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting limited public exploitation data at the time of reporting. Nonetheless, the bug can be triggered by normal file write operations (including DIO writes) and can cause denial‑of‑service or data integrity problems if not addressed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`107a7bd31ac003e42c0f966aa8e5b26947de6024`	affected	< 8302b5b4aacdbb378f7b1216bb2ee782b5142415
`107a7bd31ac003e42c0f966aa8e5b26947de6024`	affected	< 692103feca376ae4298c92aa8828015d20f1d87b
`107a7bd31ac003e42c0f966aa8e5b26947de6024`	affected	< 4c2d9dac4d328244f9365b0a1fa27ec802821820
`107a7bd31ac003e42c0f966aa8e5b26947de6024`	affected	< 93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036
`107a7bd31ac003e42c0f966aa8e5b26947de6024`	affected	< 96007fd3c106aea773c1afae2d6f64cceb6da208
`107a7bd31ac003e42c0f966aa8e5b26947de6024`	affected	< 5b1f4290453314e11cd8e15c7baa8a9b76c19b23
`107a7bd31ac003e42c0f966aa8e5b26947de6024`	affected	< 9a2b95cdaf07785e2739199037bd9c0863ccc1be
`107a7bd31ac003e42c0f966aa8e5b26947de6024`	affected	< 8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79

Linux

affected

Version	Status	Constraints
`3.12`	affected	—
`0`	unaffected	< 3.12
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8302b5b4aacdbb378f7b1216bb2ee782b5142415)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,692103feca376ae4298c92aa8828015d20f1d87b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4c2d9dac4d328244f9365b0a1fa27ec802821820)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,96007fd3c106aea773c1afae2d6f64cceb6da208)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,5b1f4290453314e11cd8e15c7baa8a9b76c19b23)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9a2b95cdaf07785e2739199037bd9c0863ccc1be)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79)`	affected	code_commit	—
`[0,5.10.252)`	affected	semver	—
`[0,5.15.202)`	affected	semver	—
`[0,6.1.165)`	affected	semver	—
`[0,6.6.128)`	affected	semver	—
`[0,6.12.75)`	affected	semver	—
`[0,6.18.14)`	affected	semver	—
`[0,6.19.4)`	affected	semver	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.252,5.10.*]`	unaffected	generic	—
`[5.15.202,5.15.*]`	unaffected	generic	—
`[6.1.165,6.1.*]`	unaffected	generic	—
`[6.6.128,6.6.*]`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.14,6.18.*]`	unaffected	generic	—
`[6.19.4,6.19.*]`	unaffected	generic	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a kernel version that includes the ext4 split‑extent cache fix (e.g., a stable release after commit 4c2d9dac4d328244f9365b0a1fa27ec802821820).
If using a custom or patched kernel, apply the necessary commit from the Linux kernel repository and recompile the kernel, then reboot to enforce the change.
After the kernel upgrade or patch, verify filesystem integrity using tools such as e2fsck on unmounted volumes or run fsck during boot to detect and repair any residual space‑accounting inconsistencies.

Generated by OpenCVE AI on May 28, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00176.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4c2d9dac4d328244f9365b0a1fa27ec802821820
https://git.kernel.org/stable/c/5b1f4290453314e11cd8e15c7baa8a9b76c19b23
https://git.kernel.org/stable/c/692103feca376ae4298c92aa8828015d20f1d87b
https://git.kernel.org/stable/c/8302b5b4aacdbb378f7b1216bb2ee782b5142415
https://git.kernel.org/stable/c/8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79
https://git.kernel.org/stable/c/93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036
https://git.kernel.org/stable/c/96007fd3c106aea773c1afae2d6f64cceb6da208
https://git.kernel.org/stable/c/9a2b95cdaf07785e2739199037bd9c0863ccc1be
https://lore.kernel.org/linux-cve-announce/2026052722-CVE-2026-45912-0e6d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45912
https://www.cve.org/CVERecord?id=CVE-2026-45912

History

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-372
References		https://lore.kernel.org/linux-cve-announce/2026052722-CVE-2026-45912-0e6d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45912 https://www.cve.org/CVERecord?id=CVE-2026-45912
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ext4: don't cache extent during splitting extent Caching extents during the splitting process is risky, as it may result in stale extents remaining in the status tree. Moreover, in most cases, the corresponding extent block entries are likely already cached before the split happens, making caching here not particularly useful. Assume we have an unwritten extent, and then DIO writes the first half. [UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUUUUUU] extent status tree \|<- ->\| ----> dio write this range First, when ext4_split_extent_at() splits this extent, it truncates the existing extent and then inserts a new one. During this process, this extent status entry may be shrunk, and calls to ext4_find_extent() and ext4_cache_extents() may occur, which could potentially insert the truncated range as a hole into the extent status tree. After the split is completed, this hole is not replaced with the correct status. [UUUUUUU\|UUUUUUUU] on-disk extent U: unwritten extent [UUUUUUU\|HHHHHHHH] extent status tree H: hole Then, the outer calling functions will not correct this remaining hole extent either. Finally, if we perform a delayed buffer write on this latter part, it will re-insert the delayed extent and cause an error in space accounting. In adition, if the unwritten extent cache is not shrunk during the splitting, ext4_cache_extents() also conflicts with existing extents when caching extents. In the future, we will add checks when caching extents, which will trigger a warning. Therefore, Do not cache extents that are being split.
Title		ext4: don't cache extent during splitting extent
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4c2d9dac4d328244f9365b0a1fa27ec802821820 https://git.kernel.org/stable/c/5b1f4290453314e11cd8e15c7baa8a9b76c19b23 https://git.kernel.org/stable/c/692103feca376ae4298c92aa8828015d20f1d87b https://git.kernel.org/stable/c/8302b5b4aacdbb378f7b1216bb2ee782b5142415 https://git.kernel.org/stable/c/8b4b19a2f96348d70bfa306ef7d4a13b0bcbea79 https://git.kernel.org/stable/c/93b2ebbbcb2e63cfc21a1946dfe91d3aa7952036 https://git.kernel.org/stable/c/96007fd3c106aea773c1afae2d6f64cceb6da208 https://git.kernel.org/stable/c/9a2b95cdaf07785e2739199037bd9c0863ccc1be

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:27.805Z

Updated: 2026-05-30T10:41:46.666Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45912

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:05.867

Modified: 2026-06-17T10:52:43.090

Link: CVE-2026-45912

Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45912 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T14:15:19Z

Weaknesses

CWE-372
Incomplete Internal State Distinction

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object