CVE-2026-45920 - Vulnerability Details

- ext4: fix dirtyclusters double decrement on fs shutdown

Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix dirtyclusters double decrement on fs shutdown

fstests test generic/388 occasionally reproduces a warning in
ext4_put_super() associated with the dirty clusters count:

WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]

Tracing the failure shows that the warning fires due to an
s_dirtyclusters_counter value of -1. IOW, this appears to be a
spurious decrement as opposed to some sort of leak. Further tracing
of the dirty cluster count deltas and an LLM scan of the resulting
output identified the cause as a double decrement in the error path
between ext4_mb_mark_diskspace_used() and the caller
ext4_mb_new_blocks().

First, note that generic/388 is a shutdown vs. fsstress test and so
produces a random set of operations and shutdown injections. In the
problematic case, the shutdown triggers an error return from the
ext4_handle_dirty_metadata() call(s) made from
ext4_mb_mark_context(). The changed value is non-zero at this point,
so ext4_mb_mark_diskspace_used() does not exit after the error
bubbles up from ext4_mb_mark_context(). Instead, the former
decrements both cluster counters and returns the error up to
ext4_mb_new_blocks(). The latter falls into the !ar->len out path
which decrements the dirty clusters counter a second time, creating
the inconsistency.

To avoid this problem and simplify ownership of the cluster
reservation in this codepath, lift the counter reduction to a single
place in the caller. This makes it more clear that
ext4_mb_new_blocks() is responsible for acquiring cluster
reservation (via ext4_claim_free_clusters()) in the !delalloc case
as well as releasing it, regardless of whether it ends up consumed
or returned due to failure.

Published: 2026-05-27

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an internal double decrement of the dirty cluster counter in the ext4 filesystem during certain error paths that occur on filesystem shutdown. This oversight causes the counter to become negative and triggers a kernel warning, potentially producing noisy log output.

Affected Systems

Linux kernels that implement ext4 and do not include the failed double‑decrement fix are affected. All distributions that ship the unpatched kernel, whether in stock or custom builds, could experience the warning during shutdown or when a block allocation error is encountered.

Risk and Exploitability

The CVSS score is 5.5 and the EPSS score is less than 1 %; the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local or privileged execution that triggers the filesystem shutdown or an allocation error path. The reported impact is limited to a warning; no evidence of failure to enforce integrity, confidentiality, or availability is provided.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 523d5a4df3c649fa305c89efb552ec62a1ce9d3d
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< ca408af08544d96769c93a3d81a7f63f61129e95
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 55576fa14771d33994c29a9ae960e07bb3f56c20
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< dbc4e10619ed87a50e637b96f2e574df36a7a769
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 61e372122b6d95aec940fdaea0a16f988f359897
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 3924aea2c33df3864929c1acd178bfc29d8f005f
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 81982a11406c5da6c6e2b188028e7056e16b7128
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 94a8cea54cd935c54fa2fba70354757c0fc245e3

Linux

affected

Version	Status	Constraints
`2.6.29`	affected	—
`0`	unaffected	< 2.6.29
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0087d9fb3f29f59e8d42c8b058376d80e5adde4c,523d5a4df3c649fa305c89efb552ec62a1ce9d3d)`	affected	code_commit	—
`[0087d9fb3f29f59e8d42c8b058376d80e5adde4c,ca408af08544d96769c93a3d81a7f63f61129e95)`	affected	code_commit	—
`[0087d9fb3f29f59e8d42c8b058376d80e5adde4c,55576fa14771d33994c29a9ae960e07bb3f56c20)`	affected	code_commit	—
`[0087d9fb3f29f59e8d42c8b058376d80e5adde4c,dbc4e10619ed87a50e637b96f2e574df36a7a769)`	affected	code_commit	—
`[0087d9fb3f29f59e8d42c8b058376d80e5adde4c,61e372122b6d95aec940fdaea0a16f988f359897)`	affected	code_commit	—
`[0087d9fb3f29f59e8d42c8b058376d80e5adde4c,3924aea2c33df3864929c1acd178bfc29d8f005f)`	affected	code_commit	—
`[0087d9fb3f29f59e8d42c8b058376d80e5adde4c,81982a11406c5da6c6e2b188028e7056e16b7128)`	affected	code_commit	—
`[0087d9fb3f29f59e8d42c8b058376d80e5adde4c,94a8cea54cd935c54fa2fba70354757c0fc245e3)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.29`	affected	semver	—
`[0,2.6.29)`	unaffected	semver	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel patch that includes the ext4 commit 3924aea2c33df3864929c1acd178bfc29d8f005f to eliminate the double decrement.
If a kernel upgrade is not immediately possible, backport or apply a vendor-provided backport that contains the same change.
Continuously monitor system logs for the 'ext4_put_super' warning; persistent occurrences should trigger a review of filesystem consistency and consideration of upgrading the kernel.

Generated by OpenCVE AI on May 28, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0019.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f
https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d
https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20
https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897
https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128
https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3
https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95
https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769
https://lore.kernel.org/linux-cve-announce/2026052724-CVE-2026-45920-db68@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45920
https://www.cve.org/CVERecord?id=CVE-2026-45920

History

Thu, 28 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-191

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026052724-CVE-2026-45920-db68@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45920 https://www.cve.org/CVERecord?id=CVE-2026-45920
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 27 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-191

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ext4: fix dirtyclusters double decrement on fs shutdown fstests test generic/388 occasionally reproduces a warning in ext4_put_super() associated with the dirty clusters count: WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4] Tracing the failure shows that the warning fires due to an s_dirtyclusters_counter value of -1. IOW, this appears to be a spurious decrement as opposed to some sort of leak. Further tracing of the dirty cluster count deltas and an LLM scan of the resulting output identified the cause as a double decrement in the error path between ext4_mb_mark_diskspace_used() and the caller ext4_mb_new_blocks(). First, note that generic/388 is a shutdown vs. fsstress test and so produces a random set of operations and shutdown injections. In the problematic case, the shutdown triggers an error return from the ext4_handle_dirty_metadata() call(s) made from ext4_mb_mark_context(). The changed value is non-zero at this point, so ext4_mb_mark_diskspace_used() does not exit after the error bubbles up from ext4_mb_mark_context(). Instead, the former decrements both cluster counters and returns the error up to ext4_mb_new_blocks(). The latter falls into the !ar->len out path which decrements the dirty clusters counter a second time, creating the inconsistency. To avoid this problem and simplify ownership of the cluster reservation in this codepath, lift the counter reduction to a single place in the caller. This makes it more clear that ext4_mb_new_blocks() is responsible for acquiring cluster reservation (via ext4_claim_free_clusters()) in the !delalloc case as well as releasing it, regardless of whether it ends up consumed or returned due to failure.
Title		ext4: fix dirtyclusters double decrement on fs shutdown
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20 https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897 https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128 https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3 https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95 https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:38.234Z

Updated: 2026-05-27T12:17:38.234Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45920

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:06.930

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45920

Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45920 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T17:15:21Z

Weaknesses

CWE-911
Improper Update of Reference Count

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object