CVE-2026-46094 Linux CVE debrief

Who should care

Linux system administrators, container platform operators, forensic analysts processing untrusted disk images, and security teams monitoring kernel filesystem attack surface

Technical summary

The check_xattrs() function in fs/ext4/xattr.c validates extended attribute entries during ext4 filesystem operations. The loop advancing through xattr entries used a bounds check comparing (void *)next against end, which allowed next to point as close as 1 byte before end. The IS_LAST_ENTRY() macro reads 4 bytes via *(__u32 *)(entry) to test for the terminator; with next at end-1, this read accesses bytes at end-1, end, end+1, end+2—three bytes beyond the valid region. The corrected check (void *)next + sizeof(u32) > end ensures space for the full u32 read. Multiple stable tree commits indicate backports to supported kernel versions.

Defensive priority

medium

Recommended defensive actions

• Apply stable kernel patches from Linux kernel maintainers when available for your distribution
• Verify ext4 filesystem images from untrusted sources before mounting
• Monitor distribution security advisories for backported fixes
• Review systems processing external ext4 images (container runtimes, forensic tools, file servers)
• Enable kernel lockdown or secure boot where available to reduce untrusted module attack surface

Evidence notes

Vulnerability description and fix details sourced from CVE.org record and NVD entry. Patch commits verified via kernel.org stable tree references. Vendor identification marked low confidence by source system due to 'Unknown Vendor' classification; Linux kernel is the affected product.

Official resources