PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45985 Linux CVE debrief

A stale data exposure vulnerability exists in the Linux kernel's ext4 filesystem when handling direct I/O (DIO) writes with dioread_nolock enabled. The issue occurs during block allocation when splitting an existing large unwritten extent before submitting I/O. The EXT4_GET_BLOCKS_CONVERT flag was incorrectly passed to ext4_split_convert_extents() during this pre-I/O splitting phase. Under specific failure conditions—specifically when ext4_split_extent_at() fails with -ENOSPC due to temporary lack of space—the code path could zero out the first half of the extent while converting the entire on-disk extent to written status, yet leave the second half marked as unwritten in the extent status tree. If the subsequent DIO write fails, this creates a window where stale data from the second half becomes exposed once the cached extent entry expires. The vulnerability affects data integrity and confidentiality by potentially exposing uninitialized or previously-written data that should have been zeroed. The fix removes the EXT4_GET_BLOCKS_CONVERT flag during pre-I/O extent splitting and ensures the entire extent range is zeroed with consistent extent status tree marking.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Linux system administrators managing ext4 filesystems with direct I/O workloads; security teams responsible for kernel security posture; organizations running database or high-performance applications using ext4 with dioread_nolock; kernel maintainers and distribution security teams coordinating stable kernel updates

Technical summary

The vulnerability exists in ext4_iomap_alloc() and ext4_split_convert_extents() code paths. When EXT4_GET_BLOCKS_PRE_IO, EXT4_GET_BLOCKS_UNWRIT_EXT, and EXT4_GET_BLOCKS_CREATE flags are set during DIO write allocation, the incorrect inclusion of EXT4_GET_BLOCKS_CONVERT causes ext4_split_extent_at() to convert the entire on-disk extent to written status even when the split fails with -ENOSPC. The extent status tree retains the second half as unwritten, creating a metadata inconsistency. The fix ensures EXT4_GET_BLOCKS_CONVERT is not passed during pre-I/O splitting, with proper zeroing of the entire extent range and consistent extent status tree marking.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the referenced stable tree commits for affected kernel versions
  • Monitor vendor security advisories for distribution-specific kernel packages
  • Verify ext4 filesystems are using current kernel versions with the fix applied
  • Review systems with heavy direct I/O workloads on ext4 filesystems for potential data integrity concerns
  • Consider filesystem consistency checks on ext4 volumes that may have experienced -ENOSPC conditions during DIO operations prior to patching

Evidence notes

The vulnerability description is sourced from the official CVE record published 2026-05-27. Seven kernel.org stable tree commits are referenced, indicating backports to multiple stable kernel branches. The issue was resolved in the Linux kernel ext4 filesystem implementation. No CVSS score or severity has been assigned by NVD as of the modified date (2026-05-27T14:48:03.013Z). The vulnerability status is 'Awaiting Analysis' per NVD.

Official resources

2026-05-27T14:17:15.820Z