CVE-2026-31450

High

Published: 22 April 2026

Published

22 April 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31450 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the race condition flaw in ext4_inode_attach_jinode() by applying kernel patches that initialize jinode before publishing and add memory barriers.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify the presence of CVE-2026-31450 in Linux kernel ext4 implementations for prioritized patching.

CM-6 Configuration Settings partial match

prevent

Supports secure configuration of ext4 filesystems by disabling fast commit feature via mount options to avoid triggering the vulnerable jinode access path.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Race condition in ext4 fast-commit path allows low-privileged attacker to trigger kernel panic (dereference of partially-initialized jinode), directly enabling Endpoint Denial of Service via deliberate system exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: ext4: publish jinode after initialization ext4_inode_attach_jinode() publishes ei->jinode to concurrent users. It used to set ei->jinode before jbd2_journal_init_jbd_inode(), allowing a reader to observe a non-NULL jinode with i_vfs_inode still unset.…

The fast commit flush path can then pass this jinode to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and may crash. Below is the crash I observe: ``` BUG: unable to handle page fault for address: 000000010beb47f4 PGD 110e51067 P4D 110e51067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014 RIP: 0010:xas_find_marked+0x3d/0x2e0 Code: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02 RSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246 RAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003 RDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10 RBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec R10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000 R13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88 FS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> filemap_get_folios_tag+0x87/0x2a0 __filemap_fdatawait_range+0x5f/0xd0 ? srso_alias_return_thunk+0x5/0xfbef5 ? __schedule+0x3e7/0x10c0 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? cap_safe_nice+0x37/0x70 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 filemap_fdatawait_range_keep_errors+0x12/0x40 ext4_fc_commit+0x697/0x8b0 ? ext4_file_write_iter+0x64b/0x950 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ? srso_alias_return_thunk+0x5/0xfbef5 ? vfs_write+0x356/0x480 ? srso_alias_return_thunk+0x5/0xfbef5 ? preempt_count_sub+0x5f/0x80 ext4_sync_file+0xf7/0x370 do_fsync+0x3b/0x80 ? syscall_trace_enter+0x108/0x1d0 __x64_sys_fdatasync+0x16/0x20 do_syscall_64+0x62/0x2c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ... ``` Fix this by initializing the jbd2_inode first. Use smp_wmb() and WRITE_ONCE() to publish ei->jinode after initialization. Readers use READ_ONCE() to fetch the pointer.

Deeper analysisAI

CVE-2026-31450 is a race condition vulnerability in the Linux kernel's ext4 filesystem implementation. The issue occurs in ext4_inode_attach_jinode(), where the ei->jinode pointer is published to concurrent users before full initialization via jbd2_journal_init_jbd_inode(). This allows a reader to observe a non-NULL jinode with its i_vfs_inode field still unset. During the fast commit flush path, this partially initialized jinode is passed to jbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping, resulting in a kernel crash, as evidenced by the provided Oops report involving xas_find_marked() and filemap_get_folios_tag().

An attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation triggers a kernel panic during operations like fsync or fdatasync on ext4 filesystems with fast commits enabled, as seen in the fc_fsync_bench_ workload. The vulnerability yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8.

The referenced kernel stable patches mitigate the issue by initializing the jbd2_inode before publishing ei->jinode. They employ smp_wmb() paired with WRITE_ONCE() on the writer side and READ_ONCE() on readers to ensure proper memory ordering and prevent observation of the uninitialized state. Affected users should apply commits such as 1aec30021edd, 2d2b64896014, 33f486987af2, 4855a59e2178, and a070d5a872ff from kernel.org stable trees.

Details

CWE(s): CWE-476

Affected Products

linux

linux kernel

3.11, 7.0 · 3.11.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

CVEs Like This One

CVE-2026-31638Same product: Linux Linux Kernel

CVE-2026-31600Same product: Linux Linux Kernel

CVE-2026-22992Same product: Linux Linux Kernel

CVE-2026-31477Same product: Linux Linux Kernel

CVE-2026-22998Same product: Linux Linux Kernel

CVE-2026-22991Same product: Linux Linux Kernel

CVE-2026-23198Same product: Linux Linux Kernel

CVE-2026-23148Same product: Linux Linux Kernel

CVE-2026-31657Same product: Linux Linux Kernel

CVE-2026-23440Same product: Linux Linux Kernel

References

https://git.kernel.org/stable/c/1aec30021edd410b986c156f195f3d23959a9d11
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/2d2b648960147d078b000b9a7494017082024366
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/33f486987af21531a7b18973d11795ede3da9ddd
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/4855a59e21789c79f003a9b5f4135c95a7495c6b
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/a070d5a872ffe0e0fe5c46eda6386140ded39adb
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/be54c0055407a73b60349c093c8ce621cb8fa232
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e4325e84727e539c8597bd5b8491349f57f7fb17
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67
https://git.kernel.org/stable/c/e76bcb727e4874a2f9d0297f8e3f8eced89b0764
Patch · 416baaa9-dc9f-4396-8d5f-8c081fb06d67