Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-45985

Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
27/05/2026
Última modificación:
16/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: don&amp;#39;t set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O<br /> <br /> When allocating blocks during within-EOF DIO and writeback with<br /> dioread_nolock enabled, EXT4_GET_BLOCKS_PRE_IO was set to split an<br /> existing large unwritten extent. However, EXT4_GET_BLOCKS_CONVERT was<br /> set when calling ext4_split_convert_extents(), which may potentially<br /> result in stale data issues.<br /> <br /> Assume we have an unwritten extent, and then DIO writes the second half.<br /> <br /> [UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent<br /> [UUUUUUUUUUUUUUUU] extent status tree<br /> || ----&gt; dio write this range<br /> <br /> First, ext4_iomap_alloc() call ext4_map_blocks() with<br /> EXT4_GET_BLOCKS_PRE_IO, EXT4_GET_BLOCKS_UNWRIT_EXT and<br /> EXT4_GET_BLOCKS_CREATE flags set. ext4_map_blocks() find this extent and<br /> call ext4_split_convert_extents() with EXT4_GET_BLOCKS_CONVERT and the<br /> above flags set.<br /> <br /> Then, ext4_split_convert_extents() calls ext4_split_extent() with<br /> EXT4_EXT_MAY_ZEROOUT, EXT4_EXT_MARK_UNWRIT2 and EXT4_EXT_DATA_VALID2<br /> flags set, and it calls ext4_split_extent_at() to split the second half<br /> with EXT4_EXT_DATA_VALID2, EXT4_EXT_MARK_UNWRIT1, EXT4_EXT_MAY_ZEROOUT<br /> and EXT4_EXT_MARK_UNWRIT2 flags set. However, ext4_split_extent_at()<br /> failed to insert extent since a temporary lack -ENOSPC. It zeroes out<br /> the first half but convert the entire on-disk extent to written since<br /> the EXT4_EXT_DATA_VALID2 flag set, but left the second half as unwritten<br /> in the extent status tree.<br /> <br /> [0000000000SSSSSS] data S: stale data, 0: zeroed<br /> [WWWWWWWWWWWWWWWW] on-disk extent W: written extent<br /> [WWWWWWWWWWUUUUUU] extent status tree<br /> <br /> Finally, if the DIO failed to write data to the disk, the stale data in<br /> the second half will be exposed once the cached extent entry is gone.<br /> <br /> Fix this issue by not passing EXT4_GET_BLOCKS_CONVERT when splitting<br /> an unwritten extent before submitting I/O, and make<br /> ext4_split_convert_extents() to zero out the entire extent range<br /> to zero for this case, and also mark the extent in the extent status<br /> tree for consistency.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.15 (incluyendo) 5.10.253 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (incluyendo) 5.15.203 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (incluyendo) 6.6.130 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (incluyendo) 6.12.77 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.17 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 6.19.4 (excluyendo)