CVE-2026-31449 Overview
CVE-2026-31449 is an out-of-bounds read vulnerability in the Linux kernel's ext4 filesystem driver. The flaw resides in ext4_ext_correct_indexes(), which walks the extent tree to update index entries when the first extent in a leaf is modified. The function dereferences path[k].p_idx->ei_block without validating that p_idx falls inside the valid range of index entries for that tree level. A corrupted or crafted on-disk extent header with a manipulated eh_entries value can drive p_idx past the allocated buffer, producing a slab-out-of-bounds read [CWE-125]. The issue affects multiple Linux kernel versions across the stable tree.
Critical Impact
A local user mounting or operating on a crafted ext4 filesystem image can trigger a slab-out-of-bounds read in kernel memory, leading to information disclosure, kernel instability, or denial of service.
Affected Products
- Linux kernel (mainline) — multiple branches as identified by stable commits
- Linux kernel 2.6.19 and release candidate builds (2.6.19-rc2 through 2.6.19-rc6)
- Linux kernel 7.0 release candidates (7.0-rc1 through 7.0-rc5)
Discovery Timeline
- 2026-04-22 - CVE-2026-31449 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31449
Vulnerability Analysis
The ext4 extent tree organizes file block mappings using internal index nodes and leaf nodes containing extents. When the first extent of a leaf changes, ext4_ext_correct_indexes() walks upward through the tree to correct each parent index entry so it reflects the new logical block. During this walk, the function reads path[k].p_idx->ei_block to determine whether further propagation is needed.
The function fails to confirm that p_idx still points within the bounds defined by EXT_FIRST_INDEX() and EXT_LAST_INDEX() before dereferencing it. When the kernel parses an extent header whose eh_entries count is inconsistent with the actual allocated index array, p_idx can be advanced beyond the buffer end. The subsequent read returns adjacent slab memory, which can leak sensitive kernel data into the extent-correction logic or cause a fault detected by KASAN.
Root Cause
The root cause is missing input validation on extent header metadata. The kernel trusts eh_entries from the on-disk structure without re-validating each p_idx against EXT_LAST_INDEX() at every access site inside ext4_ext_correct_indexes(). Both the pre-loop access and the in-loop access lack bounds checks, which produces an out-of-bounds read when on-disk corruption or crafted images supply hostile values.
Attack Vector
Exploitation requires local access and user interaction, typically mounting or operating on a specially crafted ext4 filesystem image. An attacker with permission to attach removable media, a loopback image, or a USB device can present a malformed ext4 volume. When the kernel performs operations that modify the first extent of a leaf, the bounds violation triggers. The resulting slab-out-of-bounds read can disclose kernel memory contents or destabilize the system. The fix returns -EFSCORRUPTED when p_idx falls outside the valid index range, aligning with how other ext4 extent-tree bounds violations are handled.
No public proof-of-concept or in-the-wild exploitation has been reported for CVE-2026-31449.
Detection Methods for CVE-2026-31449
Indicators of Compromise
- Kernel log entries containing EXT4-fs error messages referencing the extent tree or ext4_ext_correct_indexes.
- KASAN reports of slab-out-of-bounds reads originating from fs/ext4/extents.c.
- Repeated mount or filesystem operation failures returning -EFSCORRUPTED after the patch is applied.
Detection Strategies
- Monitor dmesg and /var/log/kern.log for ext4 corruption messages and unexpected filesystem abort events.
- Audit mount events for ext4 images originating from removable media, loopback devices, or untrusted sources.
- Track kernel version inventory against the patched commits (01bf1e0, 2acb5c1, 407c944, 93f2e97) to identify unpatched hosts.
Monitoring Recommendations
- Enable kernel auditing for mount syscalls and correlate with the invoking user and device source.
- Forward kernel logs to a centralized analytics platform and alert on EXT4-fs error strings.
- Restrict and monitor use of losetup, mount, and userspace filesystem tooling on multi-user systems.
How to Mitigate CVE-2026-31449
Immediate Actions Required
- Apply the upstream kernel patches referenced by the stable tree commits as soon as vendor builds are available.
- Restrict the ability of unprivileged users to mount arbitrary filesystem images, including loopback and removable media.
- Disable automatic mounting of untrusted external media on multi-user hosts and servers.
Patch Information
The fix validates path[k].p_idx against EXT_LAST_INDEX() both before the propagation loop and inside it, returning -EFSCORRUPTED when the index pointer is out of range. Patches are available in the stable tree at Kernel Patch Note #01bf1e0, Kernel Patch Note #2acb5c1, Kernel Patch Note #407c944, and Kernel Patch Note #93f2e97. Apply the distribution-provided update that incorporates these commits.
Workarounds
- Remove the SUID bit from filesystem mounting helpers and constrain mount privileges through sudoers or polkit policy.
- Use udev rules to prevent automatic mounting of removable ext4 media until the patched kernel is deployed.
- Where feasible, run e2fsck on untrusted images in an isolated environment before mounting them on production hosts.
# Configuration example: block unprivileged mounting of ext4 images via udev
# /etc/udev/rules.d/99-block-ext4-automount.rules
SUBSYSTEM=="block", ENV{ID_FS_TYPE}=="ext4", ENV{UDISKS_IGNORE}="1", ENV{UDISKS_AUTO}="0"
# Verify running kernel against patched commits
uname -r
grep -E 'ext4_ext_correct_indexes|EFSCORRUPTED' /var/log/kern.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
