{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31450", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.091Z", "datePublished": "2026-04-22T13:53:45.532Z", "dateUpdated": "2026-04-22T13:53:45.532Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-22T13:53:45.532Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: publish jinode after initialization\n\next4_inode_attach_jinode() publishes ei->jinode to concurrent users.\nIt used to set ei->jinode before jbd2_journal_init_jbd_inode(),\nallowing a reader to observe a non-NULL jinode with i_vfs_inode\nstill unset.\n\nThe fast commit flush path can then pass this jinode to\njbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and\nmay crash.\n\nBelow is the crash I observe:\n```\nBUG: unable to handle page fault for address: 000000010beb47f4\nPGD 110e51067 P4D 110e51067 PUD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014\nRIP: 0010:xas_find_marked+0x3d/0x2e0\nCode: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02\nRSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246\nRAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003\nRDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10\nRBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec\nR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000\nR13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88\nFS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n<TASK>\nfilemap_get_folios_tag+0x87/0x2a0\n__filemap_fdatawait_range+0x5f/0xd0\n? srso_alias_return_thunk+0x5/0xfbef5\n? __schedule+0x3e7/0x10c0\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? cap_safe_nice+0x37/0x70\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\nfilemap_fdatawait_range_keep_errors+0x12/0x40\next4_fc_commit+0x697/0x8b0\n? ext4_file_write_iter+0x64b/0x950\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? vfs_write+0x356/0x480\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\next4_sync_file+0xf7/0x370\ndo_fsync+0x3b/0x80\n? syscall_trace_enter+0x108/0x1d0\n__x64_sys_fdatasync+0x16/0x20\ndo_syscall_64+0x62/0x2c0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n...\n```\n\nFix this by initializing the jbd2_inode first.\nUse smp_wmb() and WRITE_ONCE() to publish ei->jinode after\ninitialization. Readers use READ_ONCE() to fetch the pointer."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/fast_commit.c", "fs/ext4/inode.c"], "versions": [{"version": "a361293f5fedea0016a10599f409631a15d47ee7", "lessThan": "2d2b648960147d078b000b9a7494017082024366", "status": "affected", "versionType": "git"}, {"version": "a361293f5fedea0016a10599f409631a15d47ee7", "lessThan": "e4325e84727e539c8597bd5b8491349f57f7fb17", "status": "affected", "versionType": "git"}, {"version": "a361293f5fedea0016a10599f409631a15d47ee7", "lessThan": "be54c0055407a73b60349c093c8ce621cb8fa232", "status": "affected", "versionType": "git"}, {"version": "a361293f5fedea0016a10599f409631a15d47ee7", "lessThan": "a070d5a872ffe0e0fe5c46eda6386140ded39adb", "status": "affected", "versionType": "git"}, {"version": "a361293f5fedea0016a10599f409631a15d47ee7", "lessThan": "e76bcb727e4874a2f9d0297f8e3f8eced89b0764", "status": "affected", "versionType": "git"}, {"version": "a361293f5fedea0016a10599f409631a15d47ee7", "lessThan": "4855a59e21789c79f003a9b5f4135c95a7495c6b", "status": "affected", "versionType": "git"}, {"version": "a361293f5fedea0016a10599f409631a15d47ee7", "lessThan": "33f486987af21531a7b18973d11795ede3da9ddd", "status": "affected", "versionType": "git"}, {"version": "a361293f5fedea0016a10599f409631a15d47ee7", "lessThan": "1aec30021edd410b986c156f195f3d23959a9d11", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/fast_commit.c", "fs/ext4/inode.c"], "versions": [{"version": "3.11", "status": "affected"}, {"version": "0", "lessThan": "3.11", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.168", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.134", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.81", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.21", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.12.81"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.11", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2d2b648960147d078b000b9a7494017082024366"}, {"url": "https://git.kernel.org/stable/c/e4325e84727e539c8597bd5b8491349f57f7fb17"}, {"url": "https://git.kernel.org/stable/c/be54c0055407a73b60349c093c8ce621cb8fa232"}, {"url": "https://git.kernel.org/stable/c/a070d5a872ffe0e0fe5c46eda6386140ded39adb"}, {"url": "https://git.kernel.org/stable/c/e76bcb727e4874a2f9d0297f8e3f8eced89b0764"}, {"url": "https://git.kernel.org/stable/c/4855a59e21789c79f003a9b5f4135c95a7495c6b"}, {"url": "https://git.kernel.org/stable/c/33f486987af21531a7b18973d11795ede3da9ddd"}, {"url": "https://git.kernel.org/stable/c/1aec30021edd410b986c156f195f3d23959a9d11"}], "title": "ext4: publish jinode after initialization", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: publish jinode after initialization\n\next4_inode_attach_jinode() publishes ei->jinode to concurrent users.\nIt used to set ei->jinode before jbd2_journal_init_jbd_inode(),\nallowing a reader to observe a non-NULL jinode with i_vfs_inode\nstill unset.\n\nThe fast commit flush path can then pass this jinode to\njbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and\nmay crash.\n\nBelow is the crash I observe:\n```\nBUG: unable to handle page fault for address: 000000010beb47f4\nPGD 110e51067 P4D 110e51067 PUD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014\nRIP: 0010:xas_find_marked+0x3d/0x2e0\nCode: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02\nRSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246\nRAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003\nRDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10\nRBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec\nR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000\nR13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88\nFS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n<TASK>\nfilemap_get_folios_tag+0x87/0x2a0\n__filemap_fdatawait_range+0x5f/0xd0\n? srso_alias_return_thunk+0x5/0xfbef5\n? __schedule+0x3e7/0x10c0\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? cap_safe_nice+0x37/0x70\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\nfilemap_fdatawait_range_keep_errors+0x12/0x40\next4_fc_commit+0x697/0x8b0\n? ext4_file_write_iter+0x64b/0x950\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? vfs_write+0x356/0x480\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\next4_sync_file+0xf7/0x370\ndo_fsync+0x3b/0x80\n? syscall_trace_enter+0x108/0x1d0\n__x64_sys_fdatasync+0x16/0x20\ndo_syscall_64+0x62/0x2c0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n...\n```\n\nFix this by initializing the jbd2_inode first.\nUse smp_wmb() and WRITE_ONCE() to publish ei->jinode after\ninitialization. Readers use READ_ONCE() to fetch the pointer."}], "id": "CVE-2026-31450", "lastModified": "2026-04-22T14:16:39.083", "metrics": {}, "published": "2026-04-22T14:16:39.083", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1aec30021edd410b986c156f195f3d23959a9d11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2d2b648960147d078b000b9a7494017082024366"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/33f486987af21531a7b18973d11795ede3da9ddd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4855a59e21789c79f003a9b5f4135c95a7495c6b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a070d5a872ffe0e0fe5c46eda6386140ded39adb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/be54c0055407a73b60349c093c8ce621cb8fa232"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e4325e84727e539c8597bd5b8491349f57f7fb17"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e76bcb727e4874a2f9d0297f8e3f8eced89b0764"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a361293f5fedea0016a10599f409631a15d47ee7,2d2b648960147d078b000b9a7494017082024366)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a361293f5fedea0016a10599f409631a15d47ee7,e4325e84727e539c8597bd5b8491349f57f7fb17)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a361293f5fedea0016a10599f409631a15d47ee7,be54c0055407a73b60349c093c8ce621cb8fa232)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a361293f5fedea0016a10599f409631a15d47ee7,a070d5a872ffe0e0fe5c46eda6386140ded39adb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a361293f5fedea0016a10599f409631a15d47ee7,e76bcb727e4874a2f9d0297f8e3f8eced89b0764)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a361293f5fedea0016a10599f409631a15d47ee7,4855a59e21789c79f003a9b5f4135c95a7495c6b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a361293f5fedea0016a10599f409631a15d47ee7,33f486987af21531a7b18973d11795ede3da9ddd)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[a361293f5fedea0016a10599f409631a15d47ee7,1aec30021edd410b986c156f195f3d23959a9d11)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.11,3.11]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.11)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.10.253,5.11.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.15.203,5.16.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.168,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.134,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.81,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.21,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-22T19:10:37.439919+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the ext4 inode initialization fix (the relevant patch is available in the kernel source tree).", "Reboot the system after updating to ensure the new kernel is active and clear any lingering stale state.", "Run a filesystem check (fsck) on affected ext4 filesystems to repair possible corruption caused by premature journal operations."], "summary": {"action": "Patch", "impact": "Denial of Service (Kernel Crash)"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in any Linux kernel that includes ext4 before the fix was applied. No specific version ranges are listed in the data, so all older kernels that contain the described code are potentially affected.", "description_and_impact": "In the Linux kernel, the ext4 filesystem code incorrectly publishes a jinode pointer before it is fully initialized. A reader can see a non\u2011NULL jinode while the corresponding VFS inode still has no mapping, leading the fast commit flush path to dereference an uninitialized pointer and crash. The resulting kernel panic manifests as a denial of service for the entire system.", "risk_and_exploitability": "The lack of an EPSS score and absence from the CISA KEV catalog means exploitation probability is unknown, but the impact is high because a kernel panic brings the system offline. The creation of the fault requires a write, sync, or fsync operation on an ext4 filesystem, which can be triggered by a local user or escalated attacker. Accordingly, the risk is inferred to be moderate to high for impacted hosts."}}}}, "created": "2026-04-22T16:30:21.824864+00:00", "updated": "2026-04-22T19:15:24.483246+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}