CVE-2026-45948 Linux CVE debrief

Who should care

System administrators managing Linux systems with ext4 filesystems, particularly those performing operations that may trigger extent shifting; kernel maintainers and distribution packagers responsible for backporting security fixes; security teams monitoring for kernel-level resource exhaustion vulnerabilities.

Technical summary

The vulnerability exists in `ext4_ext_shift_extents()` in the Linux kernel's ext4 filesystem. When iterating through extents, if a NULL extent is encountered, the function previously returned immediately without releasing the extent path obtained via `ext4_find_extent()`. The fix redirects control flow to the `out` label to ensure proper path release. This is a resource leak vulnerability with medium defensive priority, as it could lead to memory exhaustion under specific filesystem operation patterns. The fix has been backported to multiple stable kernel branches as evidenced by the eight referenced commits.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant kernel patch from the stable Linux kernel branches to affected systems
• Monitor kernel memory usage on systems utilizing ext4 filesystems with extent-shifting operations
• Update to a patched kernel version once available through distribution channels
• Review system logs for any indicators of memory pressure related to ext4 operations

Evidence notes

The vulnerability description is sourced from the official CVE record published by CVE.org and mirrored in NVD. The fix involves modifying `ext4_ext_shift_extents()` to ensure the extent path is released via the `out` label when a NULL extent is encountered. Multiple stable kernel branch commits are referenced, indicating widespread backporting of the fix.

Official resources