CVE-2026-31449
Published: 22 April 2026
Summary
CVE-2026-31449 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through kernel patching directly eliminates the missing bounds validation in ext4_ext_correct_indexes(), preventing slab-out-of-bounds reads from malicious ext4 filesystem images.
Information input validation enforces checks on on-disk extent header fields like eh_entries against valid ranges, stopping out-of-bounds pointer access during extent tree traversal.
Secure error handling returns errors like -EFSCORRUPTED for invalid index pointers, mitigating further processing of corrupted extent structures without compromising kernel security.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB kernel memory read via crafted ext4 image enables local info disclosure for credential access (T1212) and kernel-level privilege escalation (T1068).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: ext4: validate p_idx bounds in ext4_ext_correct_indexes ext4_ext_correct_indexes() walks up the extent tree correcting index entries when the first extent in a leaf is modified. Before accessing path[k].p_idx->ei_block, there is no…
more
validation that p_idx falls within the valid range of index entries for that level. If the on-disk extent header contains a corrupted or crafted eh_entries value, p_idx can point past the end of the allocated buffer, causing a slab-out-of-bounds read. Fix this by validating path[k].p_idx against EXT_LAST_INDEX() at both access sites: before the while loop and inside it. Return -EFSCORRUPTED if the index pointer is out of range, consistent with how other bounds violations are handled in the ext4 extent tree code.
Deeper analysisAI
CVE-2026-31449 is a vulnerability in the Linux kernel's ext4 filesystem, specifically within the ext4_ext_correct_indexes() function. This function traverses the extent tree to correct index entries after modifying the first extent in a leaf, but it lacks validation that the p_idx pointer falls within the valid range of index entries for that level. A corrupted or crafted on-disk extent header's eh_entries value can cause p_idx to point past the end of the allocated buffer, resulting in a slab-out-of-bounds read.
The vulnerability can be exploited by a local attacker with no privileges required, though low-complexity attack conditions and user interaction are necessary, per its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). An attacker could trigger the issue by accessing a malicious ext4 filesystem image, leading to high-impact consequences including kernel memory disclosure, potential integrity violations, or denial of service through out-of-bounds access.
Mitigation involves applying kernel patches that add validation of path[k].p_idx against EXT_LAST_INDEX() before the while loop and inside it, returning -EFSCORRUPTED for out-of-range pointers to align with other ext4 extent tree bounds handling. Relevant stable kernel commits include https://git.kernel.org/stable/c/01bf1e0b997d82c0e353b51ed74ef99698043c33, https://git.kernel.org/stable/c/2acb5c12ebd860f30e4faf67e6cc8c44ddfe5fe8, https://git.kernel.org/stable/c/407c944f217c17d4343148011acafebc604d55e1, and https://git.kernel.org/stable/c/93f2e975ed658ce09db4d4c2877ca2c06540df83.
Details
- CWE(s)