{"api_version":"1","generated_at":"2026-06-03T09:30:13+00:00","cve":"CVE-2026-45892","urls":{"html":"https://cve.report/CVE-2026-45892","api":"https://cve.report/api/cve/CVE-2026-45892.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45892","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45892"},"summary":{"title":"ext4: drop extent cache after doing PARTIAL_VALID1 zeroout","description":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: drop extent cache after doing PARTIAL_VALID1 zeroout\n\nWhen splitting an unwritten extent in the middle and converting it to\ninitialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and\nEXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.\n\nAssume we have an unwritten file and buffered write in the middle of it\nwithout dioread_nolock enabled, it will allocate blocks as written\nextent.\n\n       0  A      B  N\n       [UUUUUUUUUUUU] on-disk extent      U: unwritten extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDD--]                     D: valid data\n          |<-  ->| ----> this range needs to be initialized\n\next4_split_extent() first try to split this extent at B with\nEXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but\next4_split_extent_at() failed to split this extent due to temporary lack\nof space. It zeroout B to N and leave the entire extent as unwritten.\n\n       0  A      B  N\n       [UUUUUUUUUUUU] on-disk extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDDZZ]                     Z: zeroed data\n\next4_split_extent() then try to split this extent at A with\nEXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and\nleave an written extent from A to N.\n\n       0  A      B  N\n       [UUWWWWWWWWWW] on-disk extent      W: written extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDDZZ]\n\nFinally ext4_map_create_blocks() only insert extent A to B to the extent\nstatus tree, and leave an stale unwritten extent in the status tree.\n\n       0  A      B  N\n       [UUWWWWWWWWWW] on-disk extent      W: written extent\n       [UUWWWWWWWWUU] extent status tree\n       [--DDDDDDDDZZ]\n\nFix this issue by always cached extent status entry after zeroing out\nthe second part.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:03","updated_at":"2026-05-30 11:17:15"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/28db4bfc6f82fd20e2aadb7fc162244109a4eb31","name":"https://git.kernel.org/stable/c/28db4bfc6f82fd20e2aadb7fc162244109a4eb31","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc","name":"https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267","name":"https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1","name":"https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030","name":"https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b","name":"https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45892","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45892","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ddf854e59166533b0f46ba32cd6cd9aca3197d1b 28db4bfc6f82fd20e2aadb7fc162244109a4eb31 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 58ddae5d77b1db3a27b891c75a8fa120239ac092 f0931a5c17005a0c4fc35bd1a001245effc3354b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d17857b4fb9ba5745b59be0ef38fd532991fccbf d8ee559fccdef713f058cfe5f2c03dc9b18be3b1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88 c2ee51d684adca7645e4aa74adca13f6750390bc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 7015fcf473796e1d2d876f241bd9e0c36f3d4eef a1b962a821e7a52d48212ae269b45808b4411267 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 1bf6974822d1dba86cf11b5f05498581cf3488a2 6d882ea3b0931b43530d44149b79fcd4ffc13030 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.167 6.1.168 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45892","cve":"CVE-2026-45892","epss":"0.000320000","percentile":"0.097530000","score_date":"2026-06-02","updated_at":"2026-06-03 00:08:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/ext4/extents.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"28db4bfc6f82fd20e2aadb7fc162244109a4eb31","status":"affected","version":"ddf854e59166533b0f46ba32cd6cd9aca3197d1b","versionType":"git"},{"lessThan":"f0931a5c17005a0c4fc35bd1a001245effc3354b","status":"affected","version":"58ddae5d77b1db3a27b891c75a8fa120239ac092","versionType":"git"},{"lessThan":"d8ee559fccdef713f058cfe5f2c03dc9b18be3b1","status":"affected","version":"d17857b4fb9ba5745b59be0ef38fd532991fccbf","versionType":"git"},{"lessThan":"c2ee51d684adca7645e4aa74adca13f6750390bc","status":"affected","version":"d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88","versionType":"git"},{"lessThan":"a1b962a821e7a52d48212ae269b45808b4411267","status":"affected","version":"7015fcf473796e1d2d876f241bd9e0c36f3d4eef","versionType":"git"},{"lessThan":"6d882ea3b0931b43530d44149b79fcd4ffc13030","status":"affected","version":"1bf6974822d1dba86cf11b5f05498581cf3488a2","versionType":"git"}]},{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/ext4/extents.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"6.1.168","status":"affected","version":"6.1.167","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.168","versionStartIncluding":"6.1.167","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: drop extent cache after doing PARTIAL_VALID1 zeroout\n\nWhen splitting an unwritten extent in the middle and converting it to\ninitialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and\nEXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.\n\nAssume we have an unwritten file and buffered write in the middle of it\nwithout dioread_nolock enabled, it will allocate blocks as written\nextent.\n\n       0  A      B  N\n       [UUUUUUUUUUUU] on-disk extent      U: unwritten extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDD--]                     D: valid data\n          |<-  ->| ----> this range needs to be initialized\n\next4_split_extent() first try to split this extent at B with\nEXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but\next4_split_extent_at() failed to split this extent due to temporary lack\nof space. It zeroout B to N and leave the entire extent as unwritten.\n\n       0  A      B  N\n       [UUUUUUUUUUUU] on-disk extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDDZZ]                     Z: zeroed data\n\next4_split_extent() then try to split this extent at A with\nEXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and\nleave an written extent from A to N.\n\n       0  A      B  N\n       [UUWWWWWWWWWW] on-disk extent      W: written extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDDZZ]\n\nFinally ext4_map_create_blocks() only insert extent A to B to the extent\nstatus tree, and leave an stale unwritten extent in the status tree.\n\n       0  A      B  N\n       [UUWWWWWWWWWW] on-disk extent      W: written extent\n       [UUWWWWWWWWUU] extent status tree\n       [--DDDDDDDDZZ]\n\nFix this issue by always cached extent status entry after zeroing out\nthe second part."}],"providerMetadata":{"dateUpdated":"2026-05-30T10:41:42.703Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/28db4bfc6f82fd20e2aadb7fc162244109a4eb31"},{"url":"https://git.kernel.org/stable/c/f0931a5c17005a0c4fc35bd1a001245effc3354b"},{"url":"https://git.kernel.org/stable/c/d8ee559fccdef713f058cfe5f2c03dc9b18be3b1"},{"url":"https://git.kernel.org/stable/c/c2ee51d684adca7645e4aa74adca13f6750390bc"},{"url":"https://git.kernel.org/stable/c/a1b962a821e7a52d48212ae269b45808b4411267"},{"url":"https://git.kernel.org/stable/c/6d882ea3b0931b43530d44149b79fcd4ffc13030"}],"title":"ext4: drop extent cache after doing PARTIAL_VALID1 zeroout","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45892","datePublished":"2026-05-27T12:17:03.175Z","dateReserved":"2026-05-13T15:03:33.083Z","dateUpdated":"2026-05-30T10:41:42.703Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:03","lastModifiedDate":"2026-05-30 11:17:15","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45892","Ordinal":"1","Title":"ext4: drop extent cache after doing PARTIAL_VALID1 zeroout","CVE":"CVE-2026-45892","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45892","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: drop extent cache after doing PARTIAL_VALID1 zeroout\n\nWhen splitting an unwritten extent in the middle and converting it to\ninitialized in ext4_split_extent() with the EXT4_EXT_MAY_ZEROOUT and\nEXT4_EXT_DATA_VALID2 flags set, it could leave a stale unwritten extent.\n\nAssume we have an unwritten file and buffered write in the middle of it\nwithout dioread_nolock enabled, it will allocate blocks as written\nextent.\n\n       0  A      B  N\n       [UUUUUUUUUUUU] on-disk extent      U: unwritten extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDD--]                     D: valid data\n          |<-  ->| ----> this range needs to be initialized\n\next4_split_extent() first try to split this extent at B with\nEXT4_EXT_DATA_PARTIAL_VALID1 and EXT4_EXT_MAY_ZEROOUT flag set, but\next4_split_extent_at() failed to split this extent due to temporary lack\nof space. It zeroout B to N and leave the entire extent as unwritten.\n\n       0  A      B  N\n       [UUUUUUUUUUUU] on-disk extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDDZZ]                     Z: zeroed data\n\next4_split_extent() then try to split this extent at A with\nEXT4_EXT_DATA_VALID2 flag set. This time, it split successfully and\nleave an written extent from A to N.\n\n       0  A      B  N\n       [UUWWWWWWWWWW] on-disk extent      W: written extent\n       [UUUUUUUUUUUU] extent status tree\n       [--DDDDDDDDZZ]\n\nFinally ext4_map_create_blocks() only insert extent A to B to the extent\nstatus tree, and leave an stale unwritten extent in the status tree.\n\n       0  A      B  N\n       [UUWWWWWWWWWW] on-disk extent      W: written extent\n       [UUWWWWWWWWUU] extent status tree\n       [--DDDDDDDDZZ]\n\nFix this issue by always cached extent status entry after zeroing out\nthe second part.","Type":"Description","Title":"ext4: drop extent cache after doing PARTIAL_VALID1 zeroout"}]}}}