HOMEVULNERABILITIESCVE-2026-31450
HIGH

CVE-2026-31450

Published: April 22, 2026· Updated: Apr 27, 2026

8.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: publish jinode after initialization

ext4_inode_attach_jinode() publishes ei->jinode to concurrent users.

It used to set ei->jinode before jbd2_journal_init_jbd_inode(),

allowing a reader to observe a non-NULL jinode with i_vfs_inode

still unset.

The fast commit flush path can then pass this jinode to

jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and

may crash.

Below is the crash I observe:

```

BUG: unable to handle page fault for address: 000000010beb47f4

PGD 110e51067 P4D 110e51067 PUD 0

Oops: Oops: 0000 [#1] SMP NOPTI

CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)

Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014

RIP: 0010:xas_find_marked+0x3d/0x2e0

Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02

RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246

RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003

RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10

RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec

R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000

R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88

FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0

PKRU: 55555554

Call Trace:

<TASK>

filemap_get_folios_tag+0x87/0x2a0

__filemap_fdatawait_range+0x5f/0xd0

? srso_alias_return_thunk+0x5/0xfbef5

? __schedule+0x3e7/0x10c0

? srso_alias_return_thunk+0x5/0xfbef5

? srso_alias_return_thunk+0x5/0xfbef5

? srso_alias_return_thunk+0x5/0xfbef5

? preempt_count_sub+0x5f/0x80

? srso_alias_return_thunk+0x5/0xfbef5

? cap_safe_nice+0x37/0x70

? srso_alias_return_thunk+0x5/0xfbef5

? preempt_count_sub+0x5f/0x80

? srso_alias_return_thunk+0x5/0xfbef5

filemap_fdatawait_range_keep_errors+0x12/0x40

ext4_fc_commit+0x697/0x8b0

? ext4_file_write_iter+0x64b/0x950

? srso_alias_return_thunk+0x5/0xfbef5

? preempt_count_sub+0x5f/0x80

? srso_alias_return_thunk+0x5/0xfbef5

? vfs_write+0x356/0x480

? srso_alias_return_thunk+0x5/0xfbef5

? preempt_count_sub+0x5f/0x80

ext4_sync_file+0xf7/0x370

do_fsync+0x3b/0x80

? syscall_trace_enter+0x108/0x1d0

__x64_sys_fdatasync+0x16/0x20

do_syscall_64+0x62/0x2c0

entry_SYSCALL_64_after_hwframe+0x76/0x7e

...

```

Fix this by initializing the jbd2_inode first.

Use smp_wmb() and WRITE_ONCE() to publish ei->jinode after

initialization. Readers use READ_ONCE() to fetch the pointer.

NVD Source

Technical Analysis

CVE-2026-31450 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-31450
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31450 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.