ext4: avoid infinite loops caused by residual data
Summary
| CVE | CVE-2026-31448 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-22 14:16:38 UTC |
| Updated | 2026-05-07 18:43:29 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously. The above causes ext4_xattr_block_set() to enter an infinite loop about "inserted" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1]. If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases: 1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case. 2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks. [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace: inode_lock_nested include/linux/fs.h:1073 [inline] __start_dirop fs/namei.c:2923 [inline] start_dirop fs/namei.c:2934 [inline] |
Risk And Classification
Primary CVSS: v3.1 9.4 CRITICAL from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS: 0.000240000 probability, percentile 0.067850000 (date 2026-04-27)
Problem Types: CWE-835
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 9.4 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
| 3.1 | CNA | DECLARED | 9.4 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected 315054f023d28ee64f308adf8b5737831541776b c66545e83a802c3851d9be27a41c0479dd29ff0c git | Not specified |
| CNA | Linux | Linux | affected 315054f023d28ee64f308adf8b5737831541776b ecc50bfca9b5c2ee6aeef998181689b80477367b git | Not specified |
| CNA | Linux | Linux | affected 315054f023d28ee64f308adf8b5737831541776b 3a7667595bcad84da53fc156a418e110267c3412 git | Not specified |
| CNA | Linux | Linux | affected 315054f023d28ee64f308adf8b5737831541776b 416c86f30f91b4fb2642ef6b102596ca898f41a5 git | Not specified |
| CNA | Linux | Linux | affected 315054f023d28ee64f308adf8b5737831541776b 64f425b06b3bea9abc8977fd3982779b3ad070c9 git | Not specified |
| CNA | Linux | Linux | affected 315054f023d28ee64f308adf8b5737831541776b 5422fe71d26d42af6c454ca9527faaad4e677d6c git | Not specified |
| CNA | Linux | Linux | affected 2.6.22 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.22 semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.168 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.131 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.80 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.21 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.19.11 6.19.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/416c86f30f91b4fb2642ef6b102596ca898f41a5 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/64f425b06b3bea9abc8977fd3982779b3ad070c9 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/5422fe71d26d42af6c454ca9527faaad4e677d6c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/c66545e83a802c3851d9be27a41c0479dd29ff0c | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/3a7667595bcad84da53fc156a418e110267c3412 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/ecc50bfca9b5c2ee6aeef998181689b80477367b | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.