IM
IronMonkey Threat Research

CVE-2026-31448 CRITICAL

Published: 2026-04-22 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously. The above causes ext4_xattr_block_set() to enter an infinite loop about "inserted" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1]. If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases: 1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case. 2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks. [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace: inode_lock_nested include/linux/fs.h:1073 [inline] __start_dirop fs/namei.c:2923 [inline] start_dirop fs/namei.c:2934 [inline]

CVSS Metrics

Base Score: 9.4 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactLOW
Integrity ImpactHIGH
Availability ImpactHIGH

Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

Type: Secondary

Exploitability Score: 3.9

Impact Score: 5.5

Weaknesses

Source Type Description
[email protected] Primary
en CWE-835

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bdc60c280> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b80610580> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702ba705e640> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd12bd00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdc60ecc0> Operating System
linux linux_kernel 2.6.22 <built-in method update of dict object at 0x702bdc60fb40> Operating System
linux linux_kernel 2.6.22 <built-in method update of dict object at 0x702ba705ca80> Operating System
linux linux_kernel 2.6.22 <built-in method update of dict object at 0x702ba705f280> Operating System
linux linux_kernel 2.6.22 <built-in method update of dict object at 0x702ba705e740> Operating System
linux linux_kernel 2.6.22 <built-in method update of dict object at 0x702bdc60fe80> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702ba705d480> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702b80610780> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702ba705eb80> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702ba705d940> Operating System
linux linux_kernel 7.0 <built-in method update of dict object at 0x702ba705fc80> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.22:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.22:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.22:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.22:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:2.6.22:rc7:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*

References

Notification
Message here