PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31448 Linux CVE debrief

A vulnerability has been resolved in the Linux kernel, specifically in the ext4 filesystem. The issue arises when mapping logical blocks to physical blocks on the mkdir/mknod path. If inserting a new extent into the extent tree fails, ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This can cause subsequent mkdir operations to reference the previously reclaimed physical block number again, leading to a situation where both the directory and xattr are using the same buffer head block in memory simultaneously. This can ultimately lead to an infinite loop in ext4_xattr_block_set() and a 143-second blocking problem.

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-07-14
Advisory published
2026-04-22
Advisory updated
2026-07-14

Who should care

System administrators and users of Linux kernel versions 2.6.22.1 and later, up to 6.19.11, and 6.1.168, 6.6.131, 6.12.80, and 6.18.21, should be aware of this vulnerability and take steps to patch their systems.

Technical summary

The vulnerability is caused by the failure to properly handle errors when inserting a new extent into the extent tree in the ext4 filesystem. This can lead to a situation where a physical block is reclaimed and then reused, causing both the directory and xattr to use the same buffer head block in memory simultaneously. To fix this issue, the code has been modified to distinguish between two cases: (1) the error is ENOSPC or EDQUOT, in which case the filesystem is fully consistent and the current code works correctly; and (2) some other error, in which case metadata is corrupted and the code should strive to do as few modifications as possible to limit damage.

Defensive priority

High

Recommended defensive actions

  • Apply the patches provided by the Linux kernel maintainers
  • Ensure that the Linux kernel is updated to a version that includes the fix
  • Monitor system logs for signs of exploitation
  • Implement compensating controls, such as SELinux or AppArmor, to limit the damage that can be caused by the vulnerability
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability was resolved by modifying the ext4 filesystem code to properly handle errors when inserting a new extent into the extent tree. The fix distinguishes between two cases: (1) ENOSPC or EDQUOT errors, which require maintaining filesystem consistency; and (2) other errors, which indicate metadata corruption and require minimal modifications to limit damage.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-22T14:16:38.760Z and has not been modified since then. The NVD entry is currently Modified.