CVE-2026-46002
Analyzed Analyzed - Analysis Complete
Inode Corruption in Linux Kernel ext2 Filesystem

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() ext2_iget() already rejects inodes with i_nlink == 0 when i_mode is zero or i_dtime is set, treating them as deleted. However, the case of i_nlink == 0 with a non-zero mode and zero dtime slips through. Since ext2 has no orphan list, such a combination can only result from filesystem corruption - a legitimate inode deletion always sets either i_dtime or clears i_mode before freeing the inode. A crafted image can exploit this gap to present such an inode to the VFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via ext2_unlink(), ext2_rename() and ext2_rmdir(): WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295 vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477 do_unlinkat+0x53e/0x730 fs/namei.c:4541 __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_rename+0x35e/0x850 fs/ext2/namei.c:374 vfs_rename+0xf2f/0x2060 fs/namei.c:5021 do_renameat2+0xbe2/0xd50 fs/namei.c:5178 __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336 CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1 Call Trace: <TASK> inode_dec_link_count include/linux/fs.h:2518 [inline] ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311 vfs_rmdir+0x204/0x690 fs/namei.c:4348 do_rmdir+0x372/0x3e0 fs/namei.c:4407 __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577 do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Extend the existing i_nlink == 0 check to also catch this case, reporting the corruption via ext2_error() and returning -EFSCORRUPTED. This rejects the inode at load time and prevents it from reaching any of the namei.c paths. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46002
EUVD
EUVD-2026-32298
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.258 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ext2 filesystem implementation. It involves a flaw where inodes with a zero link count (i_nlink == 0) but a valid non-zero mode and zero deletion time (i_dtime) are not properly rejected. Normally, such inodes are treated as deleted and rejected, but this specific case slips through because ext2 lacks an orphan list. This situation can only arise from filesystem corruption.

An attacker can craft a filesystem image containing such corrupted inodes to trigger warnings and errors in the kernel when these inodes are processed by functions like ext2_unlink(), ext2_rename(), and ext2_rmdir(). The vulnerability allows corrupted inodes to reach the Virtual File System (VFS) layer, causing kernel warnings and potential instability.

The fix extends the inode link count check to catch this case, report the corruption, and reject the inode at load time, preventing it from causing issues later.

Impact Analysis

This vulnerability can lead to kernel warnings and potential instability or crashes when the system processes corrupted ext2 filesystem images containing specially crafted inodes. It may cause unexpected behavior in filesystem operations such as unlinking, renaming, or removing directories.

If exploited, it could disrupt normal filesystem operations, potentially leading to denial of service or data integrity issues due to the handling of corrupted inodes.

Detection Guidance

This vulnerability involves corrupted ext2 filesystem inodes with zero i_nlink and a valid mode slipping through existing checks, which can trigger kernel warnings (WARN_ON) in drop_nlink() during unlink, rename, or rmdir operations.

Detection can be done by monitoring kernel logs for WARNING messages related to drop_nlink() in fs/inode.c, which indicate the presence of such corrupted inodes.

Suggested commands to detect this issue include checking the kernel log for these warnings using:

  • dmesg | grep 'drop_nlink'
  • journalctl -k | grep 'drop_nlink'

Additionally, filesystem integrity checks on ext2 partitions using fsck.ext2 may help identify filesystem corruption that could lead to this vulnerability.

Mitigation Strategies

The vulnerability is mitigated by extending the i_nlink == 0 check in the ext2 filesystem code to reject corrupted inodes at load time, preventing them from triggering kernel warnings or further filesystem operations.

Immediate mitigation steps include:

  • Update the Linux kernel to a version that includes the fix for this vulnerability (post 6.12.77+).
  • Run filesystem integrity checks (fsck) on ext2 filesystems to detect and repair any corruption.
  • Monitor kernel logs for warnings related to drop_nlink to identify potential exploitation attempts or filesystem corruption.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart