Double free in Linux kernel - CVE-2026-45920
Published: May 28, 2026
Vulnerability identifier: #VU132577
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45920
CWE-ID: CWE-415
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to a double free in ext4 block allocation handling when processing filesystem shutdown error paths. A local user can trigger a filesystem shutdown during block allocation operations to cause a denial of service.
The issue can lead to an inconsistent dirty cluster counter state and trigger a kernel warning in ext4_put_super().
How to mitigate CVE-2026-45920
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f
- https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d
- https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20
- https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897
- https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128
- https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3
- https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95
- https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769