HOMEVULNERABILITIESCVE-2026-45985
NONE

CVE-2026-45985

Published: May 27, 2026· Updated: May 27, 2026

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O

When allocating blocks during within-EOF DIO and writeback with

dioread_nolock enabled, EXT4_GET_BLOCKS_PRE_IO was set to split an

existing large unwritten extent. However, EXT4_GET_BLOCKS_CONVERT was

set when calling ext4_split_convert_extents(), which may potentially

result in stale data issues.

Assume we have an unwritten extent, and then DIO writes the second half.

[UUUUUUUUUUUUUUUU] on-disk extent U: unwritten extent

[UUUUUUUUUUUUUUUU] extent status tree

|<- ->| ----> dio write this range

First, ext4_iomap_alloc() call ext4_map_blocks() with

EXT4_GET_BLOCKS_PRE_IO, EXT4_GET_BLOCKS_UNWRIT_EXT and

EXT4_GET_BLOCKS_CREATE flags set. ext4_map_blocks() find this extent and

call ext4_split_convert_extents() with EXT4_GET_BLOCKS_CONVERT and the

above flags set.

Then, ext4_split_convert_extents() calls ext4_split_extent() with

EXT4_EXT_MAY_ZEROOUT, EXT4_EXT_MARK_UNWRIT2 and EXT4_EXT_DATA_VALID2

flags set, and it calls ext4_split_extent_at() to split the second half

with EXT4_EXT_DATA_VALID2, EXT4_EXT_MARK_UNWRIT1, EXT4_EXT_MAY_ZEROOUT

and EXT4_EXT_MARK_UNWRIT2 flags set. However, ext4_split_extent_at()

failed to insert extent since a temporary lack -ENOSPC. It zeroes out

the first half but convert the entire on-disk extent to written since

the EXT4_EXT_DATA_VALID2 flag set, but left the second half as unwritten

in the extent status tree.

[0000000000SSSSSS] data S: stale data, 0: zeroed

[WWWWWWWWWWWWWWWW] on-disk extent W: written extent

[WWWWWWWWWWUUUUUU] extent status tree

Finally, if the DIO failed to write data to the disk, the stale data in

the second half will be exposed once the cached extent entry is gone.

Fix this issue by not passing EXT4_GET_BLOCKS_CONVERT when splitting

an unwritten extent before submitting I/O, and make

ext4_split_convert_extents() to zero out the entire extent range

to zero for this case, and also mark the extent in the extent status

tree for consistency.

NVD Source

Technical Analysis

CVE-2026-45985 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (7)

Quick Facts

CVE IDCVE-2026-45985
SeverityNONE
CISA KEVNo
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-45985 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.