Information disclosure in Linux kernel - CVE-2026-45858
Published: May 28, 2026
Vulnerability identifier: #VU132638
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45858
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper handling of partially valid extents in ext4_split_extent_at() in the ext4 filesystem when allocating initialized blocks from a large unwritten extent or splitting an unwritten extent during end I/O conversion. A local user can trigger extent splitting to expose stale data and disclose sensitive information.
The issue occurs when a split in the middle of an unwritten extent fails due to temporary lack of space, causing part of the extent to be marked written while stale data remains.
How to mitigate CVE-2026-45858
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/1bf6974822d1dba86cf11b5f05498581cf3488a2
- https://git.kernel.org/stable/c/58ddae5d77b1db3a27b891c75a8fa120239ac092
- https://git.kernel.org/stable/c/7015fcf473796e1d2d876f241bd9e0c36f3d4eef
- https://git.kernel.org/stable/c/d17857b4fb9ba5745b59be0ef38fd532991fccbf
- https://git.kernel.org/stable/c/d67c8ecf3d8fda9b8ef80e6f665d84b6d6ac9d88