CVE-2026-31449
HIGH
CVSS 7.8
No EPSS data
Description
In the Linux kernel, the following vulnerability has been resolved:
ext4: validate p_idx bounds in ext4_ext_correct_indexes
ext4_ext_correct_indexes() walks up the extent tree correcting
index entries when the first extent in a leaf is modified. Before
accessing path[k].p_idx->ei_block, there is no validation that
p_idx falls within the valid range of index entries for that
level.
If the on-disk extent header contains a corrupted or crafted
eh_entries value, p_idx can point past the end of the allocated
buffer, causing a slab-out-of-bounds read.
Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at
both access sites: before the while loop and inside it. Return
-EFSCORRUPTED if the index pointer is out of range, consistent
with how other bounds violations are handled in the ext4 extent
tree code.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-31449",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 7.8,
"attackVector": "LOCAL",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "REQUIRED",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "NONE",
"confidentialityImpact": "HIGH"
},
"impactScore": 5.9,
"exploitabilityScore": 1.8
}
]
},
"published": "2026-04-22T14:16:38.933",
"references": [
{
"url": "https://git.kernel.org/stable/c/01bf1e0b997d82c0e353b51ed74ef99698043c33",
"tags": [
"Patch"
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8",
"tags": [
"Patch"
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/407c944f217c17d4343148011acafebc604d55e1",
"tags": [
"Patch"
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/4d08401aa13f1531216f1a7ae281ca4806e90a5c",
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
},
{
"url": "https://git.kernel.org/stable/c/93f2e975ed658ce09db4d4c2877ca2c06540df83",
"tags": [
"Patch"
],
"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
],
"vulnStatus": "Modified",
"weaknesses": [
{
"type": "Primary",
"source": "nvd@nist.gov",
"description": [
{
"lang": "en",
"value": "CWE-125"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: validate p_idx bounds in ext4_ext_correct_indexes\n\next4_ext_correct_indexes() walks up the extent tree correcting\nindex entries when the first extent in a leaf is modified. Before\naccessing path[k].p_idx->ei_block, there is no validation that\np_idx falls within the valid range of index entries for that\nlevel.\n\nIf the on-disk extent header contains a corrupted or crafted\neh_entries value, p_idx can point past the end of the allocated\nbuffer, causing a slab-out-of-bounds read.\n\nFix this by validating path[k].p_idx against EXT_LAST_INDEX() at\nboth access sites: before the while loop and inside it. Return\n-EFSCORRUPTED if the index pointer is out of range, consistent\nwith how other bounds violations are handled in the ext4 extent\ntree code."
}
],
"lastModified": "2026-05-17T16:16:15.390",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "6126AEF2-0176-48D1-96AD-72781F726931",
"versionEndExcluding": "6.12.80",
"versionStartIncluding": "2.6.19.1"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "ED39847A-3B46-4729-B7CA-B2C30B9FA8FE",
"versionEndExcluding": "6.18.21",
"versionStartIncluding": "6.13"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4CA2E747-A9EC-4518-9AA2-B4247FC748B7",
"versionEndExcluding": "6.19.11",
"versionStartIncluding": "6.19"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:-:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9E2DBD4C-9DD9-4DD3-87CB-A0070A789CEA"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8D97ED16-D6B7-4445-889C-4D6DE2EDC49A"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:rc3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B2C2D5D4-9A4B-4CDF-8D71-D22EB5E97D5A"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:rc4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DFFB2843-A867-48EC-97D7-B106C7BBAED0"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:rc5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "3CD3FE23-1A10-47E6-AD7E-D67F1BE3C5E2"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.19:rc6:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9F39FC76-7D77-4064-94D3-A16C436FA8D1"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
}
}