CVE-2026-31449
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: validate p_idx bounds in ext4_ext_correct_indexes
ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_idx falls within the valid range of index entries for that level.
If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buffer, causing a slab-out-of-bounds read.
Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at both access sites: before the while loop and inside it. Return -EFSCORRUPTED if the index pointer is out of range, consistent with how other bounds violations are handled in the ext4 extent tree code.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | a86c61812637c7dd0c57e29880cffd477b62f2e7 < 39d6e2b67651614bac0dc6592fa9836321910067 | affected |
| Linux | Linux | a86c61812637c7dd0c57e29880cffd477b62f2e7 < c5839b34704c9c2f47f079451bdbb22de0da1ed1 | affected |
| Linux | Linux | a86c61812637c7dd0c57e29880cffd477b62f2e7 < 10242e640b36b91ad03d25f3dc77854bbdff8358 | affected |
| Linux | Linux | a86c61812637c7dd0c57e29880cffd477b62f2e7 < 4d08401aa13f1531216f1a7ae281ca4806e90a5c | affected |
| Linux | Linux | a86c61812637c7dd0c57e29880cffd477b62f2e7 < 407c944f217c17d4343148011acafebc604d55e1 | affected |
| Linux | Linux | a86c61812637c7dd0c57e29880cffd477b62f2e7 < 93f2e975ed658ce09db4d4c2877ca2c06540df83 | affected |
| Linux | Linux | a86c61812637c7dd0c57e29880cffd477b62f2e7 < 01bf1e0b997d82c0e353b51ed74ef99698043c33 | affected |
| Linux | Linux | a86c61812637c7dd0c57e29880cffd477b62f2e7 < 2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8 | affected |
| Linux | Linux | 2.6.19 | affected |
| Linux | Linux | 0 < 2.6.19 | unaffected |
| Linux | Linux | 5.10.259 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.210 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.80 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.21 <= 6.18.* | unaffected |
| Linux | Linux | 6.19.11 <= 6.19.* | unaffected |
| Linux | Linux | 7.0 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/39d6e2b67651614bac0dc6592fa9836321910067
- https://git.kernel.org/stable/c/c5839b34704c9c2f47f079451bdbb22de0da1ed1
- https://git.kernel.org/stable/c/10242e640b36b91ad03d25f3dc77854bbdff8358
- https://git.kernel.org/stable/c/4d08401aa13f1531216f1a7ae281ca4806e90a5c
- https://git.kernel.org/stable/c/407c944f217c17d4343148011acafebc604d55e1
- https://git.kernel.org/stable/c/93f2e975ed658ce09db4d4c2877ca2c06540df83
- https://git.kernel.org/stable/c/01bf1e0b997d82c0e353b51ed74ef99698043c33
- https://git.kernel.org/stable/c/2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.