CVE-2026-45892 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030
https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267
https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc
https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1
https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent. Assume we have an unwritten file and buffered write in the middle of it without dioread_nolock enabled, it will allocate blocks as written extent. 0 A B N [UUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDD--] D: valid data \|<- ->\| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and leave the entire extent as unwritten. 0 A B N [UUUUUUUUUUUU] on-disk extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Z: zeroed data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and leave an written extent from A to N. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Finally ext4_map_create_blocks() only insert extent A to B to the extent status tree, and leave an stale unwritten extent in the status tree. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUWWWWWWWWUU] extent status tree [--DDDDDDDDZZ] Fix this issue by always cached extent status entry after zeroing out the second part.
Title		ext4: drop extent cache after doing PARTIAL_VALID1 zeroout
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030 https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267 https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1 https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45892", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.083Z", "datePublished": "2026-05-27T12:17:03.175Z", "dateUpdated": "2026-05-27T12:17:03.175Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-27T12:17:03.175Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: drop extent cache after doing PARTIAL_VALID1 zeroout\n\nWhen splitting an unwritten extent in the middle and converting it to\ninitialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and\nEXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.\n\nAssume we have an unwritten file and buffered write in the middle of it\nwithout dioread_nolock enabled, it will allocate blocks as written\nextent.\n\n 0 A B N\n [UUUUUUUUUUUU] on-disk extent U: unwritten extent\n [UUUUUUUUUUUU] extent status tree\n [--DDDDDDDD--] D: valid data\n |<- ->| ----> this range needs to be initialized\n\next4_split_extent() first try to split this extent at B with\nEXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but\next4_split_extent_at() failed to split this extent due to temporary lack\nof space. It zeroout B to N and leave the entire extent as unwritten.\n\n 0 A B N\n [UUUUUUUUUUUU] on-disk extent\n [UUUUUUUUUUUU] extent status tree\n [--DDDDDDDDZZ] Z: zeroed data\n\next4_split_extent() then try to split this extent at A with\nEXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and\nleave an written extent from A to N.\n\n 0 A B N\n [UUWWWWWWWWWW] on-disk extent W: written extent\n [UUUUUUUUUUUU] extent status tree\n [--DDDDDDDDZZ]\n\nFinally ext4_map_create_blocks() only insert extent A to B to the extent\nstatus tree, and leave an stale unwritten extent in the status tree.\n\n 0 A B N\n [UUWWWWWWWWWW] on-disk extent W: written extent\n [UUWWWWWWWWUU] extent status tree\n [--DDDDDDDDZZ]\n\nFix this issue by always cached extent status entry after zeroing out\nthe second part."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/extents.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f0931a5c17005a0c4fc35bd1a001245effc3354b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "d8ee559fccdef713f058cfe5f2c03dc9b18be3b1", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "c2ee51d684adca7645e4aa74adca13f6750390bc", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "a1b962a821e7a52d48212ae269b45808b4411267", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6d882ea3b0931b43530d44149b79fcd4ffc13030", "status": "affected", "versionType": "git"}, {"version": "0", "lessThan": "6.6.130", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "6.12.75", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "6.18.14", "status": "affected", "versionType": "semver"}, {"version": "0", "lessThan": "6.19.4", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/extents.c"], "versions": [{"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.14", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b"}, {"url": "https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1"}, {"url": "https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc"}, {"url": "https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267"}, {"url": "https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030"}], "title": "ext4: drop extent cache after doing PARTIAL_VALID1 zeroout", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: drop extent cache after doing PARTIAL_VALID1 zeroout\n\nWhen splitting an unwritten extent in the middle and converting it to\ninitialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and\nEXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.\n\nAssume we have an unwritten file and buffered write in the middle of it\nwithout dioread_nolock enabled, it will allocate blocks as written\nextent.\n\n 0 A B N\n [UUUUUUUUUUUU] on-disk extent U: unwritten extent\n [UUUUUUUUUUUU] extent status tree\n [--DDDDDDDD--] D: valid data\n |<- ->| ----> this range needs to be initialized\n\next4_split_extent() first try to split this extent at B with\nEXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but\next4_split_extent_at() failed to split this extent due to temporary lack\nof space. It zeroout B to N and leave the entire extent as unwritten.\n\n 0 A B N\n [UUUUUUUUUUUU] on-disk extent\n [UUUUUUUUUUUU] extent status tree\n [--DDDDDDDDZZ] Z: zeroed data\n\next4_split_extent() then try to split this extent at A with\nEXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and\nleave an written extent from A to N.\n\n 0 A B N\n [UUWWWWWWWWWW] on-disk extent W: written extent\n [UUUUUUUUUUUU] extent status tree\n [--DDDDDDDDZZ]\n\nFinally ext4_map_create_blocks() only insert extent A to B to the extent\nstatus tree, and leave an stale unwritten extent in the status tree.\n\n 0 A B N\n [UUWWWWWWWWWW] on-disk extent W: written extent\n [UUWWWWWWWWUU] extent status tree\n [--DDDDDDDDZZ]\n\nFix this issue by always cached extent status entry after zeroing out\nthe second part."}], "id": "CVE-2026-45892", "lastModified": "2026-05-27T14:48:31.480", "metrics": {}, "published": "2026-05-27T14:17:03.353", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object