{"api_version":"1","generated_at":"2026-06-03T19:46:57+00:00","cve":"CVE-2026-45920","urls":{"html":"https://cve.report/CVE-2026-45920","api":"https://cve.report/api/cve/CVE-2026-45920.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45920","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45920"},"summary":{"title":"ext4: fix dirtyclusters double decrement on fs shutdown","description":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix dirtyclusters double decrement on fs shutdown\n\nfstests test generic/388 occasionally reproduces a warning in\next4_put_super() associated with the dirty clusters count:\n\n  WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]\n\nTracing the failure shows that the warning fires due to an\ns_dirtyclusters_counter value of -1. IOW, this appears to be a\nspurious decrement as opposed to some sort of leak. Further tracing\nof the dirty cluster count deltas and an LLM scan of the resulting\noutput identified the cause as a double decrement in the error path\nbetween ext4_mb_mark_diskspace_used() and the caller\next4_mb_new_blocks().\n\nFirst, note that generic/388 is a shutdown vs. fsstress test and so\nproduces a random set of operations and shutdown injections. In the\nproblematic case, the shutdown triggers an error return from the\next4_handle_dirty_metadata() call(s) made from\next4_mb_mark_context(). The changed value is non-zero at this point,\nso ext4_mb_mark_diskspace_used() does not exit after the error\nbubbles up from ext4_mb_mark_context(). Instead, the former\ndecrements both cluster counters and returns the error up to\next4_mb_new_blocks(). The latter falls into the !ar->len out path\nwhich decrements the dirty clusters counter a second time, creating\nthe inconsistency.\n\nTo avoid this problem and simplify ownership of the cluster\nreservation in this codepath, lift the counter reduction to a single\nplace in the caller. This makes it more clear that\next4_mb_new_blocks() is responsible for acquiring cluster\nreservation (via ext4_claim_free_clusters()) in the !delalloc case\nas well as releasing it, regardless of whether it ends up consumed\nor returned due to failure.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:06","updated_at":"2026-05-27 14:48:03"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128","name":"https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897","name":"https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20","name":"https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f","name":"https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95","name":"https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3","name":"https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769","name":"https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d","name":"https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45920","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45920","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 523d5a4df3c649fa305c89efb552ec62a1ce9d3d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c ca408af08544d96769c93a3d81a7f63f61129e95 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 55576fa14771d33994c29a9ae960e07bb3f56c20 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c dbc4e10619ed87a50e637b96f2e574df36a7a769 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 61e372122b6d95aec940fdaea0a16f988f359897 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 3924aea2c33df3864929c1acd178bfc29d8f005f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 81982a11406c5da6c6e2b188028e7056e16b7128 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0087d9fb3f29f59e8d42c8b058376d80e5adde4c 94a8cea54cd935c54fa2fba70354757c0fc245e3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.29","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.29 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.253 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.203 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45920","cve":"CVE-2026-45920","epss":"0.000240000","percentile":"0.073320000","score_date":"2026-06-01","updated_at":"2026-06-02 00:05:21"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/ext4/mballoc-test.c","fs/ext4/mballoc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"523d5a4df3c649fa305c89efb552ec62a1ce9d3d","status":"affected","version":"0087d9fb3f29f59e8d42c8b058376d80e5adde4c","versionType":"git"},{"lessThan":"ca408af08544d96769c93a3d81a7f63f61129e95","status":"affected","version":"0087d9fb3f29f59e8d42c8b058376d80e5adde4c","versionType":"git"},{"lessThan":"55576fa14771d33994c29a9ae960e07bb3f56c20","status":"affected","version":"0087d9fb3f29f59e8d42c8b058376d80e5adde4c","versionType":"git"},{"lessThan":"dbc4e10619ed87a50e637b96f2e574df36a7a769","status":"affected","version":"0087d9fb3f29f59e8d42c8b058376d80e5adde4c","versionType":"git"},{"lessThan":"61e372122b6d95aec940fdaea0a16f988f359897","status":"affected","version":"0087d9fb3f29f59e8d42c8b058376d80e5adde4c","versionType":"git"},{"lessThan":"3924aea2c33df3864929c1acd178bfc29d8f005f","status":"affected","version":"0087d9fb3f29f59e8d42c8b058376d80e5adde4c","versionType":"git"},{"lessThan":"81982a11406c5da6c6e2b188028e7056e16b7128","status":"affected","version":"0087d9fb3f29f59e8d42c8b058376d80e5adde4c","versionType":"git"},{"lessThan":"94a8cea54cd935c54fa2fba70354757c0fc245e3","status":"affected","version":"0087d9fb3f29f59e8d42c8b058376d80e5adde4c","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/ext4/mballoc-test.c","fs/ext4/mballoc.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.29"},{"lessThan":"2.6.29","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.253","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.203","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.253","versionStartIncluding":"2.6.29","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.203","versionStartIncluding":"2.6.29","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"2.6.29","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"2.6.29","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"2.6.29","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"2.6.29","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"2.6.29","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"2.6.29","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix dirtyclusters double decrement on fs shutdown\n\nfstests test generic/388 occasionally reproduces a warning in\next4_put_super() associated with the dirty clusters count:\n\n  WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]\n\nTracing the failure shows that the warning fires due to an\ns_dirtyclusters_counter value of -1. IOW, this appears to be a\nspurious decrement as opposed to some sort of leak. Further tracing\nof the dirty cluster count deltas and an LLM scan of the resulting\noutput identified the cause as a double decrement in the error path\nbetween ext4_mb_mark_diskspace_used() and the caller\next4_mb_new_blocks().\n\nFirst, note that generic/388 is a shutdown vs. fsstress test and so\nproduces a random set of operations and shutdown injections. In the\nproblematic case, the shutdown triggers an error return from the\next4_handle_dirty_metadata() call(s) made from\next4_mb_mark_context(). The changed value is non-zero at this point,\nso ext4_mb_mark_diskspace_used() does not exit after the error\nbubbles up from ext4_mb_mark_context(). Instead, the former\ndecrements both cluster counters and returns the error up to\next4_mb_new_blocks(). The latter falls into the !ar->len out path\nwhich decrements the dirty clusters counter a second time, creating\nthe inconsistency.\n\nTo avoid this problem and simplify ownership of the cluster\nreservation in this codepath, lift the counter reduction to a single\nplace in the caller. This makes it more clear that\next4_mb_new_blocks() is responsible for acquiring cluster\nreservation (via ext4_claim_free_clusters()) in the !delalloc case\nas well as releasing it, regardless of whether it ends up consumed\nor returned due to failure."}],"providerMetadata":{"dateUpdated":"2026-05-27T12:17:38.234Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d"},{"url":"https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95"},{"url":"https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20"},{"url":"https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769"},{"url":"https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897"},{"url":"https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f"},{"url":"https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128"},{"url":"https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3"}],"title":"ext4: fix dirtyclusters double decrement on fs shutdown","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45920","datePublished":"2026-05-27T12:17:38.234Z","dateReserved":"2026-05-13T15:03:33.085Z","dateUpdated":"2026-05-27T12:17:38.234Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:06","lastModifiedDate":"2026-05-27 14:48:03","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45920","Ordinal":"1","Title":"ext4: fix dirtyclusters double decrement on fs shutdown","CVE":"CVE-2026-45920","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45920","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix dirtyclusters double decrement on fs shutdown\n\nfstests test generic/388 occasionally reproduces a warning in\next4_put_super() associated with the dirty clusters count:\n\n  WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]\n\nTracing the failure shows that the warning fires due to an\ns_dirtyclusters_counter value of -1. IOW, this appears to be a\nspurious decrement as opposed to some sort of leak. Further tracing\nof the dirty cluster count deltas and an LLM scan of the resulting\noutput identified the cause as a double decrement in the error path\nbetween ext4_mb_mark_diskspace_used() and the caller\next4_mb_new_blocks().\n\nFirst, note that generic/388 is a shutdown vs. fsstress test and so\nproduces a random set of operations and shutdown injections. In the\nproblematic case, the shutdown triggers an error return from the\next4_handle_dirty_metadata() call(s) made from\next4_mb_mark_context(). The changed value is non-zero at this point,\nso ext4_mb_mark_diskspace_used() does not exit after the error\nbubbles up from ext4_mb_mark_context(). Instead, the former\ndecrements both cluster counters and returns the error up to\next4_mb_new_blocks(). The latter falls into the !ar->len out path\nwhich decrements the dirty clusters counter a second time, creating\nthe inconsistency.\n\nTo avoid this problem and simplify ownership of the cluster\nreservation in this codepath, lift the counter reduction to a single\nplace in the caller. This makes it more clear that\next4_mb_new_blocks() is responsible for acquiring cluster\nreservation (via ext4_claim_free_clusters()) in the !delalloc case\nas well as releasing it, regardless of whether it ends up consumed\nor returned due to failure.","Type":"Description","Title":"ext4: fix dirtyclusters double decrement on fs shutdown"}]}}}