CVE-2026-45920 (GCVE-0-2026-45920)
Vulnerability from cvelistv5
Published
2026-05-27 12:17
Modified
2026-05-27 12:17
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ext4: fix dirtyclusters double decrement on fs shutdown fstests test generic/388 occasionally reproduces a warning in ext4_put_super() associated with the dirty clusters count: WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4] Tracing the failure shows that the warning fires due to an s_dirtyclusters_counter value of -1. IOW, this appears to be a spurious decrement as opposed to some sort of leak. Further tracing of the dirty cluster count deltas and an LLM scan of the resulting output identified the cause as a double decrement in the error path between ext4_mb_mark_diskspace_used() and the caller ext4_mb_new_blocks(). First, note that generic/388 is a shutdown vs. fsstress test and so produces a random set of operations and shutdown injections. In the problematic case, the shutdown triggers an error return from the ext4_handle_dirty_metadata() call(s) made from ext4_mb_mark_context(). The changed value is non-zero at this point, so ext4_mb_mark_diskspace_used() does not exit after the error bubbles up from ext4_mb_mark_context(). Instead, the former decrements both cluster counters and returns the error up to ext4_mb_new_blocks(). The latter falls into the !ar->len out path which decrements the dirty clusters counter a second time, creating the inconsistency. To avoid this problem and simplify ownership of the cluster reservation in this codepath, lift the counter reduction to a single place in the caller. This makes it more clear that ext4_mb_new_blocks() is responsible for acquiring cluster reservation (via ext4_claim_free_clusters()) in the !delalloc case as well as releasing it, regardless of whether it ends up consumed or returned due to failure.
References
Impacted products
Vendor Product Version
Linux Linux Version: 0087d9fb3f29f59e8d42c8b058376d80e5adde4c
Version: 0087d9fb3f29f59e8d42c8b058376d80e5adde4c
Version: 0087d9fb3f29f59e8d42c8b058376d80e5adde4c
Version: 0087d9fb3f29f59e8d42c8b058376d80e5adde4c
Version: 0087d9fb3f29f59e8d42c8b058376d80e5adde4c
Version: 0087d9fb3f29f59e8d42c8b058376d80e5adde4c
Version: 0087d9fb3f29f59e8d42c8b058376d80e5adde4c
Version: 0087d9fb3f29f59e8d42c8b058376d80e5adde4c
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/mballoc-test.c",
            "fs/ext4/mballoc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "523d5a4df3c649fa305c89efb552ec62a1ce9d3d",
              "status": "affected",
              "version": "0087d9fb3f29f59e8d42c8b058376d80e5adde4c",
              "versionType": "git"
            },
            {
              "lessThan": "ca408af08544d96769c93a3d81a7f63f61129e95",
              "status": "affected",
              "version": "0087d9fb3f29f59e8d42c8b058376d80e5adde4c",
              "versionType": "git"
            },
            {
              "lessThan": "55576fa14771d33994c29a9ae960e07bb3f56c20",
              "status": "affected",
              "version": "0087d9fb3f29f59e8d42c8b058376d80e5adde4c",
              "versionType": "git"
            },
            {
              "lessThan": "dbc4e10619ed87a50e637b96f2e574df36a7a769",
              "status": "affected",
              "version": "0087d9fb3f29f59e8d42c8b058376d80e5adde4c",
              "versionType": "git"
            },
            {
              "lessThan": "61e372122b6d95aec940fdaea0a16f988f359897",
              "status": "affected",
              "version": "0087d9fb3f29f59e8d42c8b058376d80e5adde4c",
              "versionType": "git"
            },
            {
              "lessThan": "3924aea2c33df3864929c1acd178bfc29d8f005f",
              "status": "affected",
              "version": "0087d9fb3f29f59e8d42c8b058376d80e5adde4c",
              "versionType": "git"
            },
            {
              "lessThan": "81982a11406c5da6c6e2b188028e7056e16b7128",
              "status": "affected",
              "version": "0087d9fb3f29f59e8d42c8b058376d80e5adde4c",
              "versionType": "git"
            },
            {
              "lessThan": "94a8cea54cd935c54fa2fba70354757c0fc245e3",
              "status": "affected",
              "version": "0087d9fb3f29f59e8d42c8b058376d80e5adde4c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/mballoc-test.c",
            "fs/ext4/mballoc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.167",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.14",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.4",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix dirtyclusters double decrement on fs shutdown\n\nfstests test generic/388 occasionally reproduces a warning in\next4_put_super() associated with the dirty clusters count:\n\n  WARNING: CPU: 7 PID: 76064 at fs/ext4/super.c:1324 ext4_put_super+0x48c/0x590 [ext4]\n\nTracing the failure shows that the warning fires due to an\ns_dirtyclusters_counter value of -1. IOW, this appears to be a\nspurious decrement as opposed to some sort of leak. Further tracing\nof the dirty cluster count deltas and an LLM scan of the resulting\noutput identified the cause as a double decrement in the error path\nbetween ext4_mb_mark_diskspace_used() and the caller\next4_mb_new_blocks().\n\nFirst, note that generic/388 is a shutdown vs. fsstress test and so\nproduces a random set of operations and shutdown injections. In the\nproblematic case, the shutdown triggers an error return from the\next4_handle_dirty_metadata() call(s) made from\next4_mb_mark_context(). The changed value is non-zero at this point,\nso ext4_mb_mark_diskspace_used() does not exit after the error\nbubbles up from ext4_mb_mark_context(). Instead, the former\ndecrements both cluster counters and returns the error up to\next4_mb_new_blocks(). The latter falls into the !ar-\u003elen out path\nwhich decrements the dirty clusters counter a second time, creating\nthe inconsistency.\n\nTo avoid this problem and simplify ownership of the cluster\nreservation in this codepath, lift the counter reduction to a single\nplace in the caller. This makes it more clear that\next4_mb_new_blocks() is responsible for acquiring cluster\nreservation (via ext4_claim_free_clusters()) in the !delalloc case\nas well as releasing it, regardless of whether it ends up consumed\nor returned due to failure."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:17:38.234Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/523d5a4df3c649fa305c89efb552ec62a1ce9d3d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca408af08544d96769c93a3d81a7f63f61129e95"
        },
        {
          "url": "https://git.kernel.org/stable/c/55576fa14771d33994c29a9ae960e07bb3f56c20"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbc4e10619ed87a50e637b96f2e574df36a7a769"
        },
        {
          "url": "https://git.kernel.org/stable/c/61e372122b6d95aec940fdaea0a16f988f359897"
        },
        {
          "url": "https://git.kernel.org/stable/c/3924aea2c33df3864929c1acd178bfc29d8f005f"
        },
        {
          "url": "https://git.kernel.org/stable/c/81982a11406c5da6c6e2b188028e7056e16b7128"
        },
        {
          "url": "https://git.kernel.org/stable/c/94a8cea54cd935c54fa2fba70354757c0fc245e3"
        }
      ],
      "title": "ext4: fix dirtyclusters double decrement on fs shutdown",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45920",
    "datePublished": "2026-05-27T12:17:38.234Z",
    "dateReserved": "2026-05-13T15:03:33.085Z",
    "dateUpdated": "2026-05-27T12:17:38.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.