CVE-2026-45920

Severity CVSS v4.0:
Pending analysis
Type:
CWE-415 Double Free
Publication date:
27/05/2026
Last modified:
24/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix dirtyclusters double decrement on fs shutdown<br /> <br /> fstests test generic/388 occasionally reproduces a warning in<br /> ext4_put_super() associated with the dirty clusters count:<br /> <br /> WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]<br /> <br /> Tracing the failure shows that the warning fires due to an<br /> s_dirtyclusters_counter value of -1. IOW, this appears to be a<br /> spurious decrement as opposed to some sort of leak. Further tracing<br /> of the dirty cluster count deltas and an LLM scan of the resulting<br /> output identified the cause as a double decrement in the error path<br /> between ext4_mb_mark_diskspace_used() and the caller<br /> ext4_mb_new_blocks().<br /> <br /> First, note that generic/388 is a shutdown vs. fsstress test and so<br /> produces a random set of operations and shutdown injections. In the<br /> problematic case, the shutdown triggers an error return from the<br /> ext4_handle_dirty_metadata() call(s) made from<br /> ext4_mb_mark_context(). The changed value is non-zero at this point,<br /> so ext4_mb_mark_diskspace_used() does not exit after the error<br /> bubbles up from ext4_mb_mark_context(). Instead, the former<br /> decrements both cluster counters and returns the error up to<br /> ext4_mb_new_blocks(). The latter falls into the !ar-&gt;len out path<br /> which decrements the dirty clusters counter a second time, creating<br /> the inconsistency.<br /> <br /> To avoid this problem and simplify ownership of the cluster<br /> reservation in this codepath, lift the counter reduction to a single<br /> place in the caller. This makes it more clear that<br /> ext4_mb_new_blocks() is responsible for acquiring cluster<br /> reservation (via ext4_claim_free_clusters()) in the !delalloc case<br /> as well as releasing it, regardless of whether it ends up consumed<br /> or returned due to failure.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.29 (including) 5.10.253 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.203 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.167 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.130 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.75 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.4 (excluding)