Improper control of a resource through its lifetime in Linux kernel - CVE-2026-31452
Published: April 24, 2026
Vulnerability identifier: #VU127696
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-31452
CWE-ID: CWE-664
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in ext4_setattr() when processing truncate operations that grow a file beyond inline storage capacity. A local user can truncate a file with inline data to a large size and trigger a write operation to cause a denial of service.
The issue occurs when an inode retains the inline data flag even though the file size exceeds the actual inline capacity, leading to a kernel BUG_ON() during sendfile()-triggered writes.
How to mitigate CVE-2026-31452
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/07c1a31af18290054da3d18221b8bf58983c5d3a
- https://git.kernel.org/stable/c/110d7ef602659ce4d7947c5480f7ca2779696aaf
- https://git.kernel.org/stable/c/699bac4d4c951974d55b045c983d1de777215949
- https://git.kernel.org/stable/c/7920dcc571cef3d8aa9ee109c136125d61d41669
- https://git.kernel.org/stable/c/93cb2d103e5c707de0f7ad58a39b7f0fddc27aa6
- https://git.kernel.org/stable/c/c047332be7195833a5c5126816c2502df8269fe4
- https://git.kernel.org/stable/c/ed9356a30e59c7cc3198e7fc46cfedf3767b9b17
- https://git.kernel.org/stable/c/f53a5d9f32924bc2a810d2df243b7714da58b636