CVE-2026-46002

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()<br /> <br /> ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is<br /> zero or i_dtime is set, treating them as deleted. However, the case of<br /> i_nlink == 0 with a non-zero mode and zero dtime slips through. Since<br /> ext2 has no orphan list, such a combination can only result from<br /> filesystem corruption - a legitimate inode deletion always sets either<br /> i_dtime or clears i_mode before freeing the inode.<br /> <br /> A crafted image can exploit this gap to present such an inode to the<br /> VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via<br /> ext2_unlink(), ext2_rename() and ext2_rmdir():<br /> <br /> WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br /> CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1<br /> Call Trace:<br /> <br /> inode_dec_link_count include/linux/fs.h:2518 [inline]<br /> ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295<br /> vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477<br /> do_unlinkat+0x53e/0x730 fs/namei.c:4541<br /> __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587<br /> do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br /> CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1<br /> Call Trace:<br /> <br /> inode_dec_link_count include/linux/fs.h:2518 [inline]<br /> ext2_rename+0x35e/0x850 fs/ext2/namei.c:374<br /> vfs_rename+0xf2f/0x2060 fs/namei.c:5021<br /> do_renameat2+0xbe2/0xd50 fs/namei.c:5178<br /> __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223<br /> do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br /> CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1<br /> Call Trace:<br /> <br /> inode_dec_link_count include/linux/fs.h:2518 [inline]<br /> ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311<br /> vfs_rmdir+0x204/0x690 fs/namei.c:4348<br /> do_rmdir+0x372/0x3e0 fs/namei.c:4407<br /> __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577<br /> do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> <br /> Extend the existing i_nlink == 0 check to also catch this case,<br /> reporting the corruption via ext2_error() and returning -EFSCORRUPTED.<br /> This rejects the inode at load time and prevents it from reaching any<br /> of the namei.c paths.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 2.6.12.1 (including) 5.10.258 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (including) 5.15.209 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (including) 6.1.175 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.86 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.27 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 7.0.4 (excluding)
cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*