CVE-2026-46002 Linux CVE debrief

Who should care

Linux system administrators maintaining ext2 filesystems, security teams monitoring for filesystem-based attacks, kernel developers working on filesystem drivers, and organizations running systems that process untrusted filesystem images in sandboxed or virtualized environments.

Technical summary

The ext2_iget() function in the Linux kernel's ext2 filesystem driver contains insufficient validation for corrupted inode states. While it already rejected inodes with i_nlink == 0 when i_mode is zero or i_dtime is set, it failed to handle the case where i_nlink == 0 with valid i_mode and zero i_dtime. Since ext2 lacks an orphan list, this state can only occur through filesystem corruption. A crafted ext2 image can present such inodes to the VFS, which then triggers WARN_ON assertions in drop_nlink() when processed through unlink, rename, or rmdir operations. The vulnerability is addressed by extending the existing validation to reject these inodes at load time with -EFSCORRUPTED.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable commits when available for your distribution
• Monitor kernel logs for ext2 filesystem corruption warnings as indicators of potential exploitation attempts
• Consider filesystem integrity checks on ext2 volumes that may have been exposed to untrusted images
• Review systems that process untrusted ext2 filesystem images, particularly in container or virtualization environments

Evidence notes

The CVE description provides kernel stack traces showing WARN_ON triggers in drop_nlink() via three distinct code paths: ext2_unlink() at fs/ext2/namei.c:295, ext2_rename() at fs/ext2/namei.c:374, and ext2_rmdir() at fs/ext2/namei.c:311. The fix involves extending the i_nlink == 0 validation check in ext2_iget() to catch cases where i_mode is non-zero and i_dtime is zero. Multiple stable kernel commits are referenced, indicating backports across supported versions.

Official resources