CVE-2026-45920 - Vulnerability Details

- ext4: fix dirtyclusters double decrement on fs shutdown

Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix dirtyclusters double decrement on fs shutdown

fstests test generic/388 occasionally reproduces a warning in
ext4_put_super() associated with the dirty clusters count:

WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]

Tracing the failure shows that the warning fires due to an
s_dirtyclusters_counter value of -1. IOW, this appears to be a
spurious decrement as opposed to some sort of leak. Further tracing
of the dirty cluster count deltas and an LLM scan of the resulting
output identified the cause as a double decrement in the error path
between ext4_mb_mark_diskspace_used() and the caller
ext4_mb_new_blocks().

First, note that generic/388 is a shutdown vs. fsstress test and so
produces a random set of operations and shutdown injections. In the
problematic case, the shutdown triggers an error return from the
ext4_handle_dirty_metadata() call(s) made from
ext4_mb_mark_context(). The changed value is non-zero at this point,
so ext4_mb_mark_diskspace_used() does not exit after the error
bubbles up from ext4_mb_mark_context(). Instead, the former
decrements both cluster counters and returns the error up to
ext4_mb_new_blocks(). The latter falls into the !ar->len out path
which decrements the dirty clusters counter a second time, creating
the inconsistency.

To avoid this problem and simplify ownership of the cluster
reservation in this codepath, lift the counter reduction to a single
place in the caller. This makes it more clear that
ext4_mb_new_blocks() is responsible for acquiring cluster
reservation (via ext4_claim_free_clusters()) in the !delalloc case
as well as releasing it, regardless of whether it ends up consumed
or returned due to failure.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is an internal logic error in the ext4 filesystem code where the dirty cluster counter is decremented twice during certain error paths on filesystem shutdown. This leads to a negative counter value and triggers a kernel warning, but the description provides no evidence that the flaw causes data corruption, privilege escalation, or denial‑of‑service. The vulnerability appears to be limited to incorrect counter bookkeeping and log noise. The likely attack vector would require local privileged access to provoke the specific error condition during block allocation or shutdown, and no remote exploitation path is described.

Affected Systems

Any Linux kernel that implements the ext4 filesystem and does not include the patch that fixes the double decrement. No specific version range is given; therefore, all kernels preceding the commit that applied the fix are potentially affected.

Risk and Exploitability

No CVSS or EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Based on the available information, there is no documented exploit and the flaw does not appear to affect confidentiality, integrity, or availability directly. The risk is considered low; an unpatched system may generate occasional warning messages that could cause confusion during troubleshooting, but it does not provide a foothold for an attacker.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 523d5a4df3c649fa305c89efb552ec62a1ce9d3d
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< ca408af08544d96769c93a3d81a7f63f61129e95
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 55576fa14771d33994c29a9ae960e07bb3f56c20
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< dbc4e10619ed87a50e637b96f2e574df36a7a769
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 61e372122b6d95aec940fdaea0a16f988f359897
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 3924aea2c33df3864929c1acd178bfc29d8f005f
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 81982a11406c5da6c6e2b188028e7056e16b7128
`0087d9fb3f29f59e8d42c8b058376d80e5adde4c`	affected	< 94a8cea54cd935c54fa2fba70354757c0fc245e3

Linux

affected

Version	Status	Constraints
`2.6.29`	affected	—
`0`	unaffected	< 2.6.29
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the ext4 patch for the double decrement bug (commit 3924aea2c33df3864929c1acd178bfc29d8f005f).
If an immediate kernel upgrade is not feasible, patch or replace the ext4 module with the corrected implementation from the cited commit.
Monitor kernel logs for "ext4_put_super" warnings; persistent warnings should trigger a review of the kernel’s ext4 implementation.

Generated by OpenCVE AI on May 27, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f
https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d
https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20
https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897
https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128
https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3
https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95
https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769

History

Wed, 27 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-191

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ext4: fix dirtyclusters double decrement on fs shutdown fstests test generic/388 occasionally reproduces a warning in ext4_put_super() associated with the dirty clusters count: WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4] Tracing the failure shows that the warning fires due to an s_dirtyclusters_counter value of -1. IOW, this appears to be a spurious decrement as opposed to some sort of leak. Further tracing of the dirty cluster count deltas and an LLM scan of the resulting output identified the cause as a double decrement in the error path between ext4_mb_mark_diskspace_used() and the caller ext4_mb_new_blocks(). First, note that generic/388 is a shutdown vs. fsstress test and so produces a random set of operations and shutdown injections. In the problematic case, the shutdown triggers an error return from the ext4_handle_dirty_metadata() call(s) made from ext4_mb_mark_context(). The changed value is non-zero at this point, so ext4_mb_mark_diskspace_used() does not exit after the error bubbles up from ext4_mb_mark_context(). Instead, the former decrements both cluster counters and returns the error up to ext4_mb_new_blocks(). The latter falls into the !ar->len out path which decrements the dirty clusters counter a second time, creating the inconsistency. To avoid this problem and simplify ownership of the cluster reservation in this codepath, lift the counter reduction to a single place in the caller. This makes it more clear that ext4_mb_new_blocks() is responsible for acquiring cluster reservation (via ext4_claim_free_clusters()) in the !delalloc case as well as releasing it, regardless of whether it ends up consumed or returned due to failure.
Title		ext4: fix dirtyclusters double decrement on fs shutdown
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20 https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897 https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128 https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3 https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95 https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:38.234Z

Updated: 2026-05-27T12:17:38.234Z

Reserved: 2026-05-13T15:03:33.085Z

Link: CVE-2026-45920

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:06.930

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45920

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T17:45:33Z

Weaknesses

CWE-191

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object