CVE-2026-45892 Linux CVE debrief

Who should care

Linux system administrators managing ext4 filesystems, particularly those with workloads involving buffered writes to unwritten extents without dioread_nolock enabled; kernel maintainers and distribution security teams tracking ext4 filesystem stability fixes

Technical summary

The vulnerability exists in ext4_split_extent() when handling unwritten extents with the EXT4_EXT_MAY_ZEROOUT and EXT4_EXT_DATA_PARTIAL_VALID1 flags. The code path involves: (1) an initial attempt to split at boundary B that fails due to temporary space constraints, leaving zeroed data from B to N while the entire extent remains marked unwritten; (2) a subsequent successful split at boundary A with EXT4_EXT_DATA_VALID2, creating a written extent from A to N on-disk; (3) ext4_map_create_blocks() only inserting extent A to B into the status tree, leaving a stale unwritten extent entry from B to N. The fix drops the cached extent status entry after the zeroout operation to ensure consistency between the extent status tree and on-disk state.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available from your Linux distribution
• Monitor vendor security advisories for kernel package updates addressing this ext4 filesystem issue
• Review systems using ext4 filesystems with unwritten extents and buffered I/O workloads for potential data integrity concerns
• Consider testing critical ext4 workloads on updated kernels before production deployment

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27. The issue affects the ext4 filesystem implementation in the Linux kernel. Multiple stable kernel commits are referenced, indicating fixes were backported to various kernel versions. No CVSS score or severity rating has been assigned as of the CVE modification date (2026-05-27T14:48:31.480Z).

Official resources