CVE-2026-46002
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/05/2026
Last modified:
16/06/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()<br />
<br />
ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is<br />
zero or i_dtime is set, treating them as deleted. However, the case of<br />
i_nlink == 0 with a non-zero mode and zero dtime slips through. Since<br />
ext2 has no orphan list, such a combination can only result from<br />
filesystem corruption - a legitimate inode deletion always sets either<br />
i_dtime or clears i_mode before freeing the inode.<br />
<br />
A crafted image can exploit this gap to present such an inode to the<br />
VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via<br />
ext2_unlink(), ext2_rename() and ext2_rmdir():<br />
<br />
WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br />
CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1<br />
Call Trace:<br />
<br />
inode_dec_link_count include/linux/fs.h:2518 [inline]<br />
ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295<br />
vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477<br />
do_unlinkat+0x53e/0x730 fs/namei.c:4541<br />
__x64_sys_unlink+0xc6/0x110 fs/namei.c:4587<br />
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
<br />
WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br />
CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1<br />
Call Trace:<br />
<br />
inode_dec_link_count include/linux/fs.h:2518 [inline]<br />
ext2_rename+0x35e/0x850 fs/ext2/namei.c:374<br />
vfs_rename+0xf2f/0x2060 fs/namei.c:5021<br />
do_renameat2+0xbe2/0xd50 fs/namei.c:5178<br />
__x64_sys_rename+0x7e/0xa0 fs/namei.c:5223<br />
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
<br />
WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336<br />
CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1<br />
Call Trace:<br />
<br />
inode_dec_link_count include/linux/fs.h:2518 [inline]<br />
ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311<br />
vfs_rmdir+0x204/0x690 fs/namei.c:4348<br />
do_rmdir+0x372/0x3e0 fs/namei.c:4407<br />
__x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577<br />
do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
<br />
<br />
Extend the existing i_nlink == 0 check to also catch this case,<br />
reporting the corruption via ext2_error() and returning -EFSCORRUPTED.<br />
This rejects the inode at load time and prevents it from reaching any<br />
of the namei.c paths.<br />
<br />
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 2.6.12.1 (including) | 5.10.258 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.209 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 6.1.175 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.140 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.86 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.27 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 7.0.4 (excluding) |
| cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5
- https://git.kernel.org/stable/c/25947cc5b2374cd5bf627fe3141496444260d04f
- https://git.kernel.org/stable/c/2dde6377ab2e46bb80cf066c659ef016f3ad7a9b
- https://git.kernel.org/stable/c/32e0b925572686399243834ec99e2a9d85c62eae
- https://git.kernel.org/stable/c/470264bbec499e276a89a6431144ae58f411ea4d
- https://git.kernel.org/stable/c/9e2d67fb2b73eeff8b601e26b332128eae8147bb
- https://git.kernel.org/stable/c/a69a0c5156b6f0092b9fcf44517f5831a962de2d
- https://git.kernel.org/stable/c/d3af04a43db86379df7438bf8bade71685b8a239



