APPLIED: [SRU][J][PATCH 0/1] CVE-2026-31448
Stefan Bader
stefan.bader at canonical.com
Tue Jul 14 14:36:38 UTC 2026
On 24/06/2026 10:58, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-31448
>
> [ Impact ]
>
> On the mkdir/mknod path, when ext4 maps logical blocks to physical blocks, a
> failure to insert a new extent into the extent tree causes
> ext4_ext_map_blocks() to free the physical block without removing the
> corresponding entry from the extent tree. Subsequent mkdir operations then
> reference the previously reclaimed physical block, even though it is already in
> use by an xattr block, leaving the directory and xattr sharing the same buffer
> head block in memory. This drives ext4_xattr_block_set() into an infinite loop
> that never releases the inode lock, resulting in tasks blocked for over 143
> seconds. With a CVSS score of 9.4, this is a high-severity denial-of-service
> issue triggerable on corrupted or crafted filesystems.
>
> [ Fix ]
>
> jammy: backported with AI-assisted adaptation
>
> [ Test Plan ]
>
> Boot tested.
>
> [ Where Problems Could Occur ]
>
> A regression in this change would affect the ext4 extent mapping and block
> allocation paths, potentially causing incorrect block freeing, quota accounting
> errors, or filesystem inconsistency during directory and inode creation
> operations.
>
Applied to jammy:linux/master-next. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/4b0b45b4/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/4b0b45b4/attachment-0001.sig>
More information about the kernel-team
mailing list