Cyber Resilience

CVE-2026-31447

High

Published: 22 April 2026

Published
22 April 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31447 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-31447 affects the Linux kernel's ext4 filesystem implementation. The vulnerability stems from the kernel's failure to reject mounting ext4 filesystems configured with the bigalloc feature when s_first_data_block is not equal to zero, a combination that is explicitly not supported.

A local attacker can exploit this issue with low attack complexity and no required privileges, though it necessitates user interaction, such as convincing a user to mount a crafted ext4 filesystem image. Per the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), successful exploitation enables high-impact compromise of confidentiality, integrity, and availability on the affected system.

Mitigation is provided through kernel patches in stable releases, as detailed in the referenced commits on git.kernel.org. These commits implement rejection of mounts for bigalloc-enabled ext4 filesystems where s_first_data_block != 0, resolving the unsupported configuration. Security practitioners should update to kernels incorporating these fixes.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ext4: reject mount if bigalloc with s_first_data_block != 0 bigalloc with s_first_data_block != 0 is not supported, reject mounting it.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Kernel ext4 mount parsing flaw enables local privilege escalation via crafted filesystem image (T1068); requires user interaction to mount malicious file (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 3.2 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely application of kernel patches that reject unsupported bigalloc ext4 mounts with s_first_data_block != 0 directly prevents exploitation of CVE-2026-31447.

detect

Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31447, enabling remediation before exploitation.

prevent

Establishing and enforcing secure kernel configuration settings restricts mounting of potentially malicious or unsupported ext4 filesystems.

References