CVE-2026-31452 Overview
A kernel vulnerability has been identified in the Linux kernel's ext4 filesystem where the ext4_setattr() function fails to properly convert files from inline data storage to extent-based storage when a truncate() operation grows the file size beyond the inline capacity. This inconsistent state leads to a kernel BUG_ON() crash when subsequent write operations attempt to use the inline storage path.
Critical Impact
Local attackers or malicious processes can trigger a kernel panic by performing specific file operations on ext4 filesystems with inline data enabled, causing system-wide denial of service.
Affected Products
- Linux Kernel (ext4 filesystem with inline data feature enabled)
- Systems using ext4 with EXT4_FEATURE_INCOMPAT_INLINE_DATA mount option
- Linux distributions with vulnerable kernel versions
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-31452 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31452
Vulnerability Analysis
The vulnerability exists in the ext4 filesystem's handling of inline data storage during truncate operations. Inline data storage in ext4 allows small files to be stored directly within the inode structure rather than allocating separate data blocks, providing performance benefits for small files. The inline capacity is limited to approximately 60 bytes in the i_block field plus around 96 bytes in extended attributes.
When a truncate() system call grows a file beyond its inline capacity, the ext4_setattr() function should convert the file from inline data storage to extent-based storage. However, the vulnerable code path fails to perform this conversion, leaving the inline data flag set while the file size indicates a much larger capacity.
This inconsistent state triggers a crash when subsequent operations like sendfile() attempt to write data. The ext4_write_inline_data() function contains a BUG_ON() assertion that validates the write size against the inline capacity. When the write request exceeds the actual inline storage capacity, the kernel panics.
Root Cause
The root cause is a missing validation check in ext4_setattr() that should compare the new requested file size against the inode's actual inline capacity stored in EXT4_I(inode)->i_inline_size. Without this check, the function proceeds with the size change while leaving the inline data flag (EXT4_STATE_MAY_INLINE_DATA) set, creating an inconsistent filesystem state.
Attack Vector
The vulnerability can be triggered through a local attack vector requiring the ability to perform file operations on an ext4 filesystem. The attack sequence involves:
- Accessing an ext4 filesystem with inline data support enabled
- Operating on an inode that has the inline flag set with a small initial size
- Performing a truncate() operation to grow the file beyond inline capacity (e.g., 50MB)
- Initiating a write operation via sendfile() or similar system calls
- The kernel hits the BUG_ON() assertion in ext4_write_inline_data() causing a panic
The attack requires local access but no elevated privileges, as any user with write permissions to a file on an affected ext4 filesystem can trigger the condition.
Detection Methods for CVE-2026-31452
Indicators of Compromise
- Kernel panic messages containing BUG_ON and ext4_write_inline_data in stack traces
- System crashes during file copy or sendfile() operations on ext4 filesystems
- Kernel log entries showing ext4 inline data assertion failures
Detection Strategies
- Monitor kernel logs for BUG_ON assertions related to ext4 inline data functions
- Implement audit rules for truncate() system calls on ext4 filesystems with inline data
- Deploy endpoint detection rules to identify unusual file size growth patterns on ext4 volumes
Monitoring Recommendations
- Configure centralized logging to capture kernel panic events with full stack traces
- Set up alerts for ext4-related error messages in /var/log/kern.log or journald
- Monitor system stability metrics for unexpected reboots or kernel crashes
How to Mitigate CVE-2026-31452
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel stable branches immediately
- Schedule system reboots to load patched kernels during maintenance windows
- Consider temporarily disabling inline data on critical ext4 filesystems using tune2fs -O ^inline_data
Patch Information
The vulnerability has been addressed through multiple commits to the Linux kernel stable branches. The fix adds a validation check in ext4_setattr() to detect when the new size exceeds the inode's inline capacity and triggers a conversion to extent-based storage before proceeding with the size change.
Patches are available from the following kernel commits:
- Linux Kernel Commit 07c1a31
- Linux Kernel Commit 110d7ef
- Linux Kernel Commit 699bac4
- Linux Kernel Commit 7920dcc
- Linux Kernel Commit 93cb2d1
- Linux Kernel Commit c047332
- Linux Kernel Commit ed9356a
- Linux Kernel Commit f53a5d9
Workarounds
- Disable the inline data feature on ext4 filesystems using tune2fs -O ^inline_data /dev/sdXN followed by a remount
- Restrict write access to ext4 volumes with inline data enabled until patches can be applied
- Migrate critical workloads to filesystems without inline data until kernel updates are deployed
# Disable inline data feature on an ext4 filesystem
# WARNING: Requires unmounting the filesystem first
umount /dev/sdX1
tune2fs -O ^inline_data /dev/sdX1
mount /dev/sdX1 /mnt/target
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
