CVE-2026-31450
Received Received - Intake
Use-After-Initialization Vulnerability in Linux ext4 Causes Kernel Crash

Publication date: 2026-04-22

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It used to set ei->jinode before jbd2_journal_init_jbd_inode(), allowing a reader to observe a non-NULL jinode with i_vfs_inode still unset. The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash I observe: ``` BUG: unable to handle page fault for address: 000000010beb47f4 PGD 110e51067 P4D 110e51067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 RIP: 0010:xas_find_marked+0x3d/0x2e0 Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02 RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246 RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003 RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10 RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000 R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88 FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> filemap_get_folios_tag+0x87/0x2a0 __filemap_fdatawait_range+0x5f/0xd0 ? srso_alias_return_thunk+0x5/0xfbef5 ? __schedule+0x3e7/0x10c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? cap_safe_nice+0x37/0x70 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 filemap_fdatawait_range_keep_errors+0x12/0x40 ext4_fc_commit+0x697/0x8b0 ? ext4_file_write_iter+0x64b/0x950 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? vfs_write+0x356/0x480 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ext4_sync_file+0xf7/0x370 do_fsync+0x3b/0x80 ? syscall_trace_enter+0x108/0x1d0 __x64_sys_fdatasync+0x16/0x20 do_syscall_64+0x62/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... ``` Fix this by initializing the jbd2_inode first. Use smp_wmb() and WRITE_ONCE() to publish ei->jinode after initialization. Readers use READ_ONCE() to fetch the pointer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31450
EUVD
EUVD-2026-24788
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 3.11
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.81 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.134 (exc)
linux linux_kernel From 3.11.1 (inc) to 5.10.253 (exc)
linux linux_kernel 3.11
linux linux_kernel 3.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ext4 filesystem code, specifically in the function ext4_inode_attach_jinode(). The issue arises because the pointer ei->jinode is published to concurrent users before it is fully initialized. This allows a reader to observe a non-NULL jinode while its internal i_vfs_inode is still unset.

As a result, the fast commit flush path can pass this partially initialized jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may cause the kernel to crash due to a page fault.

The fix involves initializing the jbd2_inode fully before publishing the pointer, using memory barriers (smp_wmb()) and atomic operations (WRITE_ONCE() and READ_ONCE()) to ensure proper synchronization.

Impact Analysis

This vulnerability can cause the Linux kernel to crash unexpectedly due to a page fault when accessing a partially initialized inode structure in the ext4 filesystem. Such crashes can lead to system instability, data loss, or denial of service if the filesystem becomes unavailable or corrupted.

Detection Guidance

This vulnerability manifests as a kernel crash related to ext4 filesystem operations, specifically involving the jinode pointer and journal handling.

Detection can involve monitoring system logs for kernel oops or crashes with messages similar to the provided crash trace, such as "BUG: unable to handle page fault" and references to ext4 and jbd2 journal functions.

Since the issue is related to ext4 filesystem journal inode initialization, commands to check kernel logs include:

  • dmesg | grep -i 'BUG\|Oops\|ext4\|jbd2'
  • journalctl -k | grep -i 'BUG\|Oops\|ext4\|jbd2'

Additionally, testing filesystem operations that trigger fast commit flush paths, such as intensive fsync or fdatasync calls on ext4 filesystems, may reproduce the crash if the system is vulnerable.

Mitigation Strategies

The vulnerability is fixed by properly initializing the jinode pointer after the jbd2 journal inode is initialized, using memory barriers and atomic operations to ensure safe publication.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability (post 2026-04-22).
  • Avoid running workloads that heavily use ext4 fast commit flush paths or intensive fsync/fdatasync operations on ext4 filesystems until the kernel is patched.
  • Monitor system stability and kernel logs for signs of crashes related to ext4 or jbd2 journal operations.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31450. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart