SB20260528226 - Information disclosure in Linux kernel ext4



SB20260528226 - Information disclosure in Linux kernel ext4

Published: May 28, 2026

Security Bulletin ID SB20260528226
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Local access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Information disclosure (CVE-ID: CVE-2026-45858)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper handling of partially valid extents in ext4_split_extent_at() in the ext4 filesystem when allocating initialized blocks from a large unwritten extent or splitting an unwritten extent during end I/O conversion. A local user can trigger extent splitting to expose stale data and disclose sensitive information.

The issue occurs when a split in the middle of an unwritten extent fails due to temporary lack of space, causing part of the extent to be marked written while stale data remains.


Remediation

Install update from vendor's website.