In the Linux kernel, the following vulnerability has been resolved:
ocfs2: handle invalid dinode in ocfs2groupextend
[BUG] kernel BUG at fs/ocfs2/resize.c:308! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:ocfs2groupextend+0x10aa/0x1ae0 fs/ocfs2/resize.c:308 Code: 8b8520ff ffff83f8 860f8580 030000e8 5cc3c1fe Call Trace: ... ocfs2ioctl+0x175/0x6e0 fs/ocfs2/ioctl.c:869 vfsioctl fs/ioctl.c:51 [inline] __dosysioctl fs/ioctl.c:597 [inline] __sesysioctl fs/ioctl.c:583 [inline] _x64sysioctl+0x197/0x1e0 fs/ioctl.c:583 x64syscall+0x1144/0x26a0 arch/x86/include/generated/asm/syscalls64.h:17 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0x93/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x76/0x7e ...
[CAUSE] ocfs2groupextend() assumes that the global bitmap inode block returned from ocfs2inodelock() has already been validated and BUG_ONs when the signature is not a dinode. That assumption is too strong for crafted filesystems because the JBD2-managed buffer path can bypass structural validation and return an invalid dinode to the resize ioctl.
[FIX] Validate the dinode explicitly in ocfs2groupextend(). If the global bitmap buffer does not contain a valid dinode, report filesystem corruption with ocfs2_error() and fail the resize operation instead of crashing the kernel.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31596.json",
"cna_assigner": "Linux"
}