Description
In the Linux kernel, the following vulnerability has been resolved:

ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access

The bounds check for the next xattr entry in check_xattrs() uses
(void *)next >= end, which allows next to point within sizeof(u32)
bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4
bytes via *(__u32 *)(entry), which can overrun the valid xattr region.

For example, if next lands at end - 1, the check passes since
next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1,
accessing 3 bytes beyond the valid region.

Fix this by changing the check to (void *)next + sizeof(u32) > end,
ensuring there is always enough space for the IS_LAST_ENTRY() read
on the subsequent iteration.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an incorrect bounds check in the ext4 filesystem’s check_xattrs() function. The comparison used allows a pointer to come within the size of an unsigned 32‑bit value of the buffer’s end, after which a 4‑byte read occurs that overruns the intended extended attribute region. This leads to an out‑of‑bounds read in kernel space. The CVE description does not elaborate on additional effects beyond the read, but the weakness falls under improper bounds validation and buffer over-read.

Affected Systems

All Linux systems running kernel versions that contain the unpatched ext4 driver are affected. The kernel’s CPE string indicates coverage of the entire Linux kernel family, and no specific vulnerable versions are listed in the CVE data, so any build prior to the linked patch commit should be considered vulnerable.

Risk and Exploitability

No CVSS score is provided and the EPSS score is not available, so the exploitation likelihood cannot be quantified. The vulnerability is not included in the CISA KEV catalog, indicating no documented mass exploitation. Triggering the out‑of‑bounds read requires the kernel to process extended attributes on an ext4 volume. The exact conditions that activate the vulnerable code path are not specified in the CVE, so the precise attack vector remains unspecified. Based on the description, it is inferred that the kernel must perform the check during normal filesystem operations such as mounting or reading the filesystem; therefore the flaw likely requires local or privileged access to bring the code path into play.

Generated by OpenCVE AI on May 27, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that includes the ext4 patch commit
  • Check the distribution’s security advisories for kernel updates that address the issue
  • If a kernel update is not immediately possible, restrict mounting or processing of untrusted ext4 images to minimize the chance of triggering the flaw

Generated by OpenCVE AI on May 27, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129
CWE-787

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access The bounds check for the next xattr entry in check_xattrs() uses (void *)next >= end, which allows next to point within sizeof(u32) bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4 bytes via *(__u32 *)(entry), which can overrun the valid xattr region. For example, if next lands at end - 1, the check passes since next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1, accessing 3 bytes beyond the valid region. Fix this by changing the check to (void *)next + sizeof(u32) > end, ensuring there is always enough space for the IS_LAST_ENTRY() read on the subsequent iteration.
Title ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:58:45.304Z

Reserved: 2026-05-13T15:03:33.097Z

Link: CVE-2026-46094

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:30.963

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:30:34Z

Weaknesses