HOMEVULNERABILITIESCVE-2026-31448
CRITICAL

CVE-2026-31448

Published: April 22, 2026· Updated: Apr 27, 2026

9.4
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: avoid infinite loops caused by residual data

On the mkdir/mknod path, when mapping logical blocks to physical blocks,

if inserting a new extent into the extent tree fails (in this example,

because the file system disabled the huge file feature when marking the

inode as dirty), ext4_ext_map_blocks() only calls ext4_free_blocks() to

reclaim the physical block without deleting the corresponding data in

the extent tree. This causes subsequent mkdir operations to reference

the previously reclaimed physical block number again, even though this

physical block is already being used by the xattr block. Therefore, a

situation arises where both the directory and xattr are using the same

buffer head block in memory simultaneously.

The above causes ext4_xattr_block_set() to enter an infinite loop about

"inserted" and cannot release the inode lock, ultimately leading to the

143s blocking problem mentioned in [1].

If the metadata is corrupted, then trying to remove some extent space

can do even more harm. Also in case EXT4_GET_BLOCKS_DELALLOC_RESERVE

was passed, remove space wrongly update quota information.

Jan Kara suggests distinguishing between two cases:

1) The error is ENOSPC or EDQUOT - in this case the filesystem is fully

consistent and we must maintain its consistency including all the

accounting. However these errors can happen only early before we've

inserted the extent into the extent tree. So current code works correctly

for this case.

2) Some other error - this means metadata is corrupted. We should strive to

do as few modifications as possible to limit damage. So I'd just skip

freeing of allocated blocks.

[1]

INFO: task syz.0.17:5995 blocked for more than 143 seconds.

Call Trace:

inode_lock_nested include/linux/fs.h:1073 [inline]

__start_dirop fs/namei.c:2923 [inline]

start_dirop fs/namei.c:2934 [inline]

NVD Source

Technical Analysis

CVE-2026-31448 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.4.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityLow
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-31448
CVSS Score9.4 / 10
SeverityCRITICAL
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31448 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.