CVE-2026-31450
Use-After-Initialization Vulnerability in Linux ext4 Causes Kernel Crash
Publication date: 2026-04-22
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 3.11 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.203 (exc) |
| linux | linux_kernel | From 5.16 (inc) to 6.1.168 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.81 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.134 (exc) |
| linux | linux_kernel | From 3.11.1 (inc) to 5.10.253 (exc) |
| linux | linux_kernel | 3.11 |
| linux | linux_kernel | 3.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's ext4 filesystem code, specifically in the function ext4_inode_attach_jinode(). The issue arises because the pointer ei->jinode is published to concurrent users before it is fully initialized. This allows a reader to observe a non-NULL jinode while its internal i_vfs_inode is still unset.
As a result, the fast commit flush path can pass this partially initialized jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may cause the kernel to crash due to a page fault.
The fix involves initializing the jbd2_inode fully before publishing the pointer, using memory barriers (smp_wmb()) and atomic operations (WRITE_ONCE() and READ_ONCE()) to ensure proper synchronization.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash unexpectedly due to a page fault when accessing a partially initialized inode structure in the ext4 filesystem. Such crashes can lead to system instability, data loss, or denial of service if the filesystem becomes unavailable or corrupted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a kernel crash related to ext4 filesystem operations, specifically involving the jinode pointer and journal handling.
Detection can involve monitoring system logs for kernel oops or crashes with messages similar to the provided crash trace, such as "BUG: unable to handle page fault" and references to ext4 and jbd2 journal functions.
Since the issue is related to ext4 filesystem journal inode initialization, commands to check kernel logs include:
- dmesg | grep -i 'BUG\|Oops\|ext4\|jbd2'
- journalctl -k | grep -i 'BUG\|Oops\|ext4\|jbd2'
Additionally, testing filesystem operations that trigger fast commit flush paths, such as intensive fsync or fdatasync calls on ext4 filesystems, may reproduce the crash if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by properly initializing the jinode pointer after the jbd2 journal inode is initialized, using memory barriers and atomic operations to ensure safe publication.
Immediate mitigation steps include:
- Update the Linux kernel to a version that includes the fix for this vulnerability (post 2026-04-22).
- Avoid running workloads that heavily use ext4 fast commit flush paths or intensive fsync/fdatasync operations on ext4 filesystems until the kernel is patched.
- Monitor system stability and kernel logs for signs of crashes related to ext4 or jbd2 journal operations.