Race condition in Linux kernel - CVE-2026-31450
Published: April 24, 2026
Vulnerability identifier: #VU127694
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31450
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a race condition in ext4_inode_attach_jinode() when handling concurrent fast commit flush operations. A local user can trigger concurrent filesystem activity to cause a denial of service.
The issue occurs because a jinode pointer may be observed as non-NULL before its associated i_vfs_inode field is initialized, leading to a kernel crash when the fast commit flush path dereferences it.
Remediation
Install security update from vendor's repository.
External links
- https://git.kernel.org/stable/c/1aec30021edd410b986c156f195f3d23959a9d11
- https://git.kernel.org/stable/c/2d2b648960147d078b000b9a7494017082024366
- https://git.kernel.org/stable/c/33f486987af21531a7b18973d11795ede3da9ddd
- https://git.kernel.org/stable/c/4855a59e21789c79f003a9b5f4135c95a7495c6b
- https://git.kernel.org/stable/c/a070d5a872ffe0e0fe5c46eda6386140ded39adb
- https://git.kernel.org/stable/c/be54c0055407a73b60349c093c8ce621cb8fa232
- https://git.kernel.org/stable/c/e4325e84727e539c8597bd5b8491349f57f7fb17
- https://git.kernel.org/stable/c/e76bcb727e4874a2f9d0297f8e3f8eced89b0764