CVE-2026-45942
- Source
- https://cve.org/CVERecord?id=CVE-2026-45942
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45942.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-45942
- Downstream
- Published
- 2026-05-27T12:17:57.950Z
- Modified
- 2026-06-01T03:55:32.632561104Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- ext4: fix e4b bitmap inconsistency reports
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix e4b bitmap inconsistency reports
A bitmap inconsistency issue was observed during stress tests under mixed huge-page workloads. Ext4 reported multiple e4b bitmap check failures like:
ext4mbcomplexscangroup:2508: group 350, 8179 free clusters as per group info. But got 8192 blocks
Analysis and experimentation confirmed that the issue is caused by a race condition between page migration and bitmap modification. Although this timing window is extremely narrow, it is still hit in practice:
foliolock ext4mbloadbuddy __migratefolio check ref count foliomc_copy __filemapgetfolio folio_tryget(folio) ...... mbmarkused ext4mbunloadbuddy _foliomigratemapping folioreffreeze foliounlock
The root cause of this issue is that the fast path of loadbuddy only increments the folio's reference count, which is insufficient to prevent concurrent folio migration. We observed that the folio migration process acquires the folio lock. Therefore, we can determine whether to take the fast path in loadbuddy by checking the lock status. If the folio is locked, we opt for the slow path (which acquires the lock) to close this concurrency window.
Additionally, this change addresses the following issues:
When the DOUBLE_CHECK macro is enabled to inspect bitmap-related issues, the following error may be triggered:
corruption in group 324 at byte 784(6272): f in copy != ff on disk/prealloc
Analysis reveals that this is a false positive. There is a specific race window where the bitmap and the group descriptor become momentarily inconsistent, leading to this error report:
ext4mbloadbuddy ext4mbloadbuddy __filemapgetfolio(create|lock) foliolock ext4mbinitcache foliomarkuptodate _filemapgetfolio(no lock) ...... mbmarkused mbmarkuseddouble mbcmpbitmaps mbsetbits(e4b->bdbitmap) foliounlock
The original logic assumed that since mbcmpbitmaps is called when the bitmap is newly loaded from disk, the folio lock would be sufficient to prevent concurrent access. However, this overlooks a specific race condition: if another process attempts to load buddy and finds the folio is already in an uptodate state, it will immediately begin using it without holding folio lock.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45942.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/29a07d691d282faf38c33d4b61839b89399110f9
- https://git.kernel.org/stable/c/57e83bfbe1e412ac42daced2086f3c6f9a17bba0
- https://git.kernel.org/stable/c/bdc56a9c46b2a99c12313122b9352b619a2e719e
- https://git.kernel.org/stable/c/c05033cfc5c7699cd4df8d48cef94d01da755f24
- https://git.kernel.org/stable/c/f29709a7a3fc38f5015d850504762cdef0e151f9
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45942.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-45942
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc9de560ded61faa5b754137b7753da252391c55aFixed57e83bfbe1e412ac42daced2086f3c6f9a17bba0Fixedc05033cfc5c7699cd4df8d48cef94d01da755f24Fixed29a07d691d282faf38c33d4b61839b89399110f9Fixedf29709a7a3fc38f5015d850504762cdef0e151f9Fixedbdc56a9c46b2a99c12313122b9352b619a2e719e