ext4: drop extent cache after doing PARTIAL_VALID1 zeroout

Summary

CVE	CVE-2026-45892
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-27 14:17:03 UTC
Updated	2026-05-30 11:17:15 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: ext4: drop extent cache after doing PARTIAL_VALID1 zeroout When splitting an unwritten extent in the middle and converting it to initialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent. Assume we have an unwritten file and buffered write in the middle of it without dioread_nolock enabled, it will allocate blocks as written extent. 0 A B N [UUUUUUUUUUUU] on-disk extent U: unwritten extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDD--] D: valid data \|<- ->\| ----> this range needs to be initialized ext4_split_extent() first try to split this extent at B with EXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but ext4_split_extent_at() failed to split this extent due to temporary lack of space. It zeroout B to N and leave the entire extent as unwritten. 0 A B N [UUUUUUUUUUUU] on-disk extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Z: zeroed data ext4_split_extent() then try to split this extent at A with EXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and leave an written extent from A to N. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUUUUUUUUUUU] extent status tree [--DDDDDDDDZZ] Finally ext4_map_create_blocks() only insert extent A to B to the extent status tree, and leave an stale unwritten extent in the status tree. 0 A B N [UUWWWWWWWWWW] on-disk extent W: written extent [UUWWWWWWWWUU] extent status tree [--DDDDDDDDZZ] Fix this issue by always cached extent status entry after zeroing out the second part.

Risk And Classification

EPSS: 0.000320000 probability, percentile 0.097530000 (date 2026-06-02)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected ddf854e59166533b0f46ba32cd6cd9aca3197d1b 28db4bfc6f82fd20e2aadb7fc162244109a4eb31 git	Not specified
CNA	Linux	Linux	affected 58ddae5d77b1db3a27b891c75a8fa120239ac092 f0931a5c17005a0c4fc35bd1a001245effc3354b git	Not specified
CNA	Linux	Linux	affected d17857b4fb9ba5745b59be0ef38fd532991fccbf d8ee559fccdef713f058cfe5f2c03dc9b18be3b1 git	Not specified
CNA	Linux	Linux	affected d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88 c2ee51d684adca7645e4aa74adca13f6750390bc git	Not specified
CNA	Linux	Linux	affected 7015fcf473796e1d2d876f241bd9e0c36f3d4eef a1b962a821e7a52d48212ae269b45808b4411267 git	Not specified
CNA	Linux	Linux	affected 1bf6974822d1dba86cf11b5f05498581cf3488a2 6d882ea3b0931b43530d44149b79fcd4ffc13030 git	Not specified
CNA	Linux	Linux	affected 6.1.167 6.1.168 semver	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/28db4bfc6f82fd20e2aadb7fc162244109a4eb31	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.