CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31455 – xfs: stop reclaim before pushing AIL during unmount
https://notcve.org/view.php?id=CVE-2026-31455
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: stop reclaim before pushing AIL during unmount The unmount sequence in xfs_unmount_flush_inodes() pushed the AIL while background reclaim and inodegc are still running. This is broken independently of any use-after-free issues - background reclaim and inodegc should not be running while the AIL is being pushed during unmount, as inodegc can dirty and insert inodes into the AIL during the flush, and background reclaim can race to abort ... • https://git.kernel.org/stable/c/90c60e16401248a4900f3f9387f563d0178dcf34 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31454 – xfs: save ailp before dropping the AIL lock in push callbacks
https://notcve.org/view.php?id=CVE-2026-31454
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: save ailp before dropping the AIL lock in push callbacks In xfs_inode_item_push() and xfs_qm_dquot_logitem_push(), the AIL lock is dropped to perform buffer IO. Once the cluster buffer no longer protects the log item from reclaim, the log item may be freed by background reclaim or the dquot shrinker. The subsequent spin_lock() call dereferences lip->li_ailp, which is a use-after-free. Fix this by saving the ailp pointer in a local vari... • https://git.kernel.org/stable/c/90c60e16401248a4900f3f9387f563d0178dcf34 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31453 – xfs: avoid dereferencing log items after push callbacks
https://notcve.org/view.php?id=CVE-2026-31453
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: xfs: avoid dereferencing log items after push callbacks After xfsaild_push_item() calls iop_push(), the log item may have been freed if the AIL lock was dropped during the push. Background inode reclaim or the dquot shrinker can free the log item while the AIL lock is not held, and the tracepoints in the switch statement dereference the log item after iop_push() returns. Fix this by capturing the log item type, flags, and LSN before calling... • https://git.kernel.org/stable/c/90c60e16401248a4900f3f9387f563d0178dcf34 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31452 – ext4: convert inline data to extents when truncate exceeds inline size
https://notcve.org/view.php?id=CVE-2026-31452
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: convert inline data to extents when truncate exceeds inline size Add a check in ext4_setattr() to convert files from inline data storage to extent-based storage when truncate() grows the file size beyond the inline capacity. This prevents the filesystem from entering an inconsistent state where the inline data flag is set but the file size exceeds what can be stored inline. Without this fix, the following sequence causes a kernel BUG_... • https://git.kernel.org/stable/c/67cf5b09a46f72e048501b84996f2f77bc42e947 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2026-31451 – ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio
https://notcve.org/view.php?id=CVE-2026-31451
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: replace BUG_ON with proper error handling in ext4_read_inline_folio Replace BUG_ON() with proper error handling when inline data size exceeds PAGE_SIZE. This prevents kernel panic and allows the system to continue running while properly reporting the filesystem corruption. The error is logged via ext4_error_inode(), the buffer head is released to prevent memory leak, and -EFSCORRUPTED is returned to indicate filesystem corruption. • https://git.kernel.org/stable/c/46c7f254543dedcf134ad05091ed2b935a9a597d •
CVSS: 8.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31450 – ext4: publish jinode after initialization
https://notcve.org/view.php?id=CVE-2026-31450
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It used to set ei->jinode before jbd2_journal_init_jbd_inode(), allowing a reader to observe a non-NULL jinode with i_vfs_inode still unset. The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash I observe: ``` BUG: unable to handle... • https://git.kernel.org/stable/c/a361293f5fedea0016a10599f409631a15d47ee7 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2026-31449 – ext4: validate p_idx bounds in ext4_ext_correct_indexes
https://notcve.org/view.php?id=CVE-2026-31449
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: validate p_idx bounds in ext4_ext_correct_indexes ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no validation that p_idx falls within the valid range of index entries for that level. If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buf... • https://git.kernel.org/stable/c/a86c61812637c7dd0c57e29880cffd477b62f2e7 •
CVSS: 9.4EPSS: 0%CPEs: 6EXPL: 0CVE-2026-31448 – ext4: avoid infinite loops caused by residual data
https://notcve.org/view.php?id=CVE-2026-31448
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual data On the mkdir/mknod path, when mapping logical blocks to physical blocks, if inserting a new extent into the extent tree fails (in this example, because the file system disabled the huge file feature when marking the inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to reclaim the physical block without deleting the corresponding data in the extent tree. This causes subseq... • https://git.kernel.org/stable/c/315054f023d28ee64f308adf8b5737831541776b •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2026-31447 – ext4: reject mount if bigalloc with s_first_data_block != 0
https://notcve.org/view.php?id=CVE-2026-31447
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: reject mount if bigalloc with s_first_data_block != 0 bigalloc with s_first_data_block != 0 is not supported, reject mounting it. • https://git.kernel.org/stable/c/281b59959707dfae03ce038cdf231bf4904e170c •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2026-31446 – ext4: fix use-after-free in update_super_work when racing with umount
https://notcve.org/view.php?id=CVE-2026-31446
22 Apr 2026 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in update_super_work when racing with umount Commit b98535d09179 ("ext4: fix bug_on in start_this_handle during umount filesystem") moved ext4_unregister_sysfs() before flushing s_sb_upd_work to prevent new error work from being queued via /proc/fs/ext4/xx/mb_groups reads during unmount. However, this introduced a use-after-free because update_super_work calls ext4_notify_error_sysfs() -> sysfs_notify() which access... • https://git.kernel.org/stable/c/52c3a04f9ec2a16a4204d6274db338cb8d5b2d74 •