CVE-2026-31447

High

Published: 22 April 2026

Published

22 April 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31447 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely application of kernel patches that reject unsupported bigalloc ext4 mounts with s_first_data_block != 0 directly prevents exploitation of CVE-2026-31447.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning identifies Linux kernels vulnerable to CVE-2026-31447, enabling remediation before exploitation.

CM-6 Configuration Settings partial match

prevent

Establishing and enforcing secure kernel configuration settings restricts mounting of potentially malicious or unsupported ext4 filesystems.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Kernel ext4 mount parsing flaw enables local privilege escalation via crafted filesystem image (T1068); requires user interaction to mount malicious file (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: ext4: reject mount if bigalloc with s_first_data_block != 0 bigalloc with s_first_data_block != 0 is not supported, reject mounting it.

Deeper analysisAI

CVE-2026-31447 affects the Linux kernel's ext4 filesystem implementation. The vulnerability stems from the kernel's failure to reject mounting ext4 filesystems configured with the bigalloc feature when s_first_data_block is not equal to zero, a combination that is explicitly not supported.

A local attacker can exploit this issue with low attack complexity and no required privileges, though it necessitates user interaction, such as convincing a user to mount a crafted ext4 filesystem image. Per the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), successful exploitation enables high-impact compromise of confidentiality, integrity, and availability on the affected system.

Mitigation is provided through kernel patches in stable releases, as detailed in the referenced commits on git.kernel.org. These commits implement rejection of mounts for bigalloc-enabled ext4 filesystems where s_first_data_block != 0, resolving the unsupported configuration. Security practitioners should update to kernels incorporating these fixes.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

linux

linux kernel

7.0 · 3.2 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

CVEs Like This One

CVE-2026-31694Same product: Linux Linux Kernel

CVE-2026-31641Same product: Linux Linux Kernel

CVE-2026-31663Same product: Linux Linux Kernel

CVE-2026-23336Same product: Linux Linux Kernel

CVE-2025-21858Same product: Linux Linux Kernel

CVE-2026-31454Same product: Linux Linux Kernel

CVE-2025-21700Same product: Linux Linux Kernel

CVE-2024-57995Same product: Linux Linux Kernel

CVE-2026-23412Same product: Linux Linux Kernel

CVE-2026-23231Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/3822743dc20386d9897e999dbb990befa3a5b3f8
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/3a926957cc95899ef88529710836edadc03c71a1
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/5ad6d994255e27a3254079dfb50ca861fc31f2d0
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7b58c110b4e1f028eb38eec9ed3555e9be81c8b0
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/7d5b04290156c3fc316eecc86a4f9d201ab7d44a
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/ad1f6d608f33f59d21a3d025615d6786a6443998
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/b77de3fceafbb39f30e4ff5dc986f863d5456417
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/d787d3ae96648dc14a3b7ca8fde817177e82c1c7
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67