CVE-2026-45985
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext4: don&#39;t set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O<br />
<br />
When allocating blocks during within-EOF DIO and writeback with<br />
dioread_nolock enabled, EXT4_GET_BLOCKS_PRE_IO was set to split an<br />
existing large unwritten extent. However, EXT4_GET_BLOCKS_CONVERT was<br />
set when calling ext4_split_convert_extents(), which may potentially<br />
result in stale data issues.<br />
<br />
Assume we have an unwritten extent, and then DIO writes the second half.<br />
<br />
[UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent<br />
[UUUUUUUUUUUUUUUU] extent status tree<br />
|| ----> dio write this range<br />
<br />
First, ext4_iomap_alloc() call ext4_map_blocks() with<br />
EXT4_GET_BLOCKS_PRE_IO, EXT4_GET_BLOCKS_UNWRIT_EXT and<br />
EXT4_GET_BLOCKS_CREATE flags set. ext4_map_blocks() find this extent and<br />
call ext4_split_convert_extents() with EXT4_GET_BLOCKS_CONVERT and the<br />
above flags set.<br />
<br />
Then, ext4_split_convert_extents() calls ext4_split_extent() with<br />
EXT4_EXT_MAY_ZEROOUT, EXT4_EXT_MARK_UNWRIT2 and EXT4_EXT_DATA_VALID2<br />
flags set, and it calls ext4_split_extent_at() to split the second half<br />
with EXT4_EXT_DATA_VALID2, EXT4_EXT_MARK_UNWRIT1, EXT4_EXT_MAY_ZEROOUT<br />
and EXT4_EXT_MARK_UNWRIT2 flags set. However, ext4_split_extent_at()<br />
failed to insert extent since a temporary lack -ENOSPC. It zeroes out<br />
the first half but convert the entire on-disk extent to written since<br />
the EXT4_EXT_DATA_VALID2 flag set, but left the second half as unwritten<br />
in the extent status tree.<br />
<br />
[0000000000SSSSSS] data S: stale data, 0: zeroed<br />
[WWWWWWWWWWWWWWWW] on-disk extent W: written extent<br />
[WWWWWWWWWWUUUUUU] extent status tree<br />
<br />
Finally, if the DIO failed to write data to the disk, the stale data in<br />
the second half will be exposed once the cached extent entry is gone.<br />
<br />
Fix this issue by not passing EXT4_GET_BLOCKS_CONVERT when splitting<br />
an unwritten extent before submitting I/O, and make<br />
ext4_split_convert_extents() to zero out the entire extent range<br />
to zero for this case, and also mark the extent in the extent status<br />
tree for consistency.
Impacto
Puntuación base 3.x
5.50
Gravedad 3.x
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.15 (incluyendo) | 5.10.253 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.203 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.6.130 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.77 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.17 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 6.19.4 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/2698731d25823267c29190cb578da9296a0c0d7b
- https://git.kernel.org/stable/c/2920ec61c98b9476781359f05b94da84e80f54d4
- https://git.kernel.org/stable/c/37555690f39f78ef69af347d9aff897e07445949
- https://git.kernel.org/stable/c/67cdb7bd7442bd3cdc6d6088bbb2df9be2fe936c
- https://git.kernel.org/stable/c/716e7439a5a9b18c3ff882c2f8c834b9ced1aaec
- https://git.kernel.org/stable/c/77e407967cd872cd75d7e4a691908e49c8e6b4d4
- https://git.kernel.org/stable/c/feaf2a80e78f89ee8a3464126077ba8683b62791



