PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31449 Linux CVE debrief

CVE-2026-31449 is a Linux kernel ext4 flaw in extent index correction logic. A missing bounds check on an extent-tree index pointer can let corrupted on-disk metadata drive an out-of-bounds read, which NVD rates as CVSS 7.8 HIGH.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-05-17
Advisory published
2026-04-22
Advisory updated
2026-05-17

Who should care

Linux kernel maintainers, distro security teams, storage and filesystem engineers, and administrators running ext4 on systems that may mount untrusted or potentially corrupted filesystems should prioritize this advisory.

Technical summary

NVD describes the issue in ext4_ext_correct_indexes(), which walks up the ext4 extent tree to update index entries after the first extent in a leaf changes. Before reading path[k].p_idx->ei_block, the code did not verify that p_idx was still within the valid index range for that level. If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the allocated buffer and cause a slab-out-of-bounds read. The kernel fix validates path[k].p_idx against EXT_LAST_INDEX() at both access sites and returns -EFSCORRUPTED when the pointer is out of range. NVD lists CWE-125 and a CVSS v3.1 vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Defensive priority

High

Recommended defensive actions

  • Apply the kernel updates that include the ext4 bounds check fix, or vendor backports of the referenced patches.
  • Verify deployed kernel versions against the NVD affected ranges and upgrade any build older than the fixed stable releases listed by NVD.
  • Treat untrusted, damaged, or externally supplied ext4 filesystems as higher risk until patched kernels are deployed.
  • Use vendor advisories and stable kernel package updates to confirm the fix is present in your distribution build.
  • If you maintain kernel-dependent appliances or images, rebuild them with patched kernels and revalidate filesystem handling paths.

Evidence notes

The supplied NVD record identifies the bug as an ext4 out-of-bounds read in ext4_ext_correct_indexes(), tied to unvalidated path[k].p_idx access when eh_entries is corrupted. The NVD entry also includes the mitigation references to stable.kernel.org patch commits and records CWE-125 plus CVSS 7.8 HIGH. The affected-version data in the source corpus comes from NVD CPE criteria, including ranges ending before 6.12.80, 6.18.21, and 6.19.11, with special inclusion of 2.6.19 and early release candidates.

Official resources

Publicly disclosed in the NVD record on 2026-04-22T14:16:38.933Z and modified on 2026-05-17T16:16:15.390Z. The supplied corpus ties the issue to official kernel patch references added in the NVD update.