Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-31448— ext4: avoid infinite loops caused by residual data

CVSS 9.4 · Critical EPSS 0.07% · P21
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-31448

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ext4: avoid infinite loops caused by residual data
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subsequent mkdir operations to reference the previously reclaimed physical block number again, even though this physical block is already being used by the xattr block. Therefore, a situation arises where both the directory and xattr are using the same buffer head block in memory simultaneously. The above causes ext4_xattr_block_set() to enter an infinite loop about "inserted" and cannot release the inode lock, ultimately leading to the 143s blocking problem mentioned in [1]. If the metadata is corrupted, then trying to remove some extent space can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE was passed, remove space wrongly update quota information. Jan Kara suggests distinguishing between two cases: 1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully consistent and we must maintain its consistency including all the accounting. However these errors can happen only early before we've inserted the extent into the extent tree. So current code works correctly for this case. 2) Some other error - this means metadata is corrupted. We should strive to do as few modifications as possible to limit damage. So I'd just skip freeing of allocated blocks. [1] INFO: task syz.0.17:5995 blocked for more than 143 seconds. Call Trace: inode_lock_nested include/linux/fs.h:1073 [inline] __start_dirop fs/namei.c:2923 [inline] start_dirop fs/namei.c:2934 [inline]
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于插入新扩展失败时未删除扩展树中的数据,可能导致目录和xattr同时使用同一内存块,造成无限循环和锁阻塞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 315054f023d28ee64f308adf8b5737831541776b ~ c66545e83a802c3851d9be27a41c0479dd29ff0c -
LinuxLinux 2.6.22 -

II. Public POCs for CVE-2026-31448

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-31448

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-04-22 · 100 CVEs total

CVE-2026-314639.8 CRITICALiomap: fix invalid folio access when i_blkbits differs from I/O granularity
CVE-2026-314369.8 CRITICALdmaengine: idxd: fix possible wrong descriptor completion in llist_abort_desc()
CVE-2026-315019.8 CRITICALnet: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
CVE-2026-314449.8 CRITICALksmbd: fix use-after-free and NULL deref in smb_grant_oplock()
CVE-2026-314789.8 CRITICALksmbd: replace hardcoded hdr2_len with offsetof() in smb2_calc_max_out_buf_len()
CVE-2026-314328.8 HIGHksmbd: fix OOB write in QUERY_INFO for compound requests
CVE-2026-314338.8 HIGHksmbd: fix potencial OOB in get_file_all_info() for compound requests
CVE-2026-314358.8 HIGHnetfs: Fix read abandonment during retry
CVE-2026-314508.8 HIGHext4: publish jinode after initialization
CVE-2026-314768.2 HIGHksmbd: do not expire session on binding failure
CVE-2026-315138.1 HIGHBluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
CVE-2026-314648.1 HIGHscsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()
CVE-2026-314497.8 HIGHext4: validate p_idx bounds in ext4_ext_correct_indexes
CVE-2026-314907.8 HIGHdrm/xe/pf: Fix use-after-free in migration restore
CVE-2026-314947.8 HIGHnet: macb: use the current queue number for stats
CVE-2026-315027.8 HIGHteam: fix header_ops type confusion with non-Ethernet ports
CVE-2026-314797.8 HIGHdrm/xe: always keep track of remap prev/next
CVE-2026-315047.8 HIGHnet: fix fanout UAF in packet_release() via NETDEV_UP race
CVE-2026-315057.8 HIGHiavf: fix out-of-bounds writes in iavf_get_ethtool_stats()
CVE-2026-314467.8 HIGHext4: fix use-after-free in update_super_work when racing with umount

Showing top 20 of 100 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-31448

No comments yet

Leave a comment