A newly disclosed vulnerability in the Linux kernel's Ext4 filesystem, tracked as CVE-2026-31449, has been patched to prevent slab out-of-bounds (OOB) reads. The flaw, which carries a moderate severity rating, resides in the Ext4 directory entry validation code and could allow an attacker to trigger a kernel memory leak or crash under specific conditions.

The issue was introduced in kernel version 6.12 and affects all subsequent releases up to the fix. It was discovered and reported by security researcher Jan Kara, who identified that the Ext4 code failed to properly validate the length of directory entries when processing corrupted or maliciously crafted filesystem images.

Understanding the Vulnerability

At its core, CVE-2026-31449 is a bounds checking deficiency in the ext4_readdir function. When the kernel reads directory entries from an Ext4 filesystem, it iterates over a series of ext4_dir_entry_2 structures. Each entry has a rec_len field indicating its total length. The kernel must verify that this length does not exceed the remaining space in the current filesystem block.

In the vulnerable code, the check was incomplete. Specifically, the kernel did not ensure that the rec_len value was at least the size of a minimal directory entry (8 bytes). An attacker who can mount a specially crafted Ext4 filesystem image—for example, via a USB drive or network filesystem—could supply a directory entry with a rec_len smaller than the structure size. This would cause the kernel to read beyond the allocated slab buffer, leading to an out-of-bounds read.

Practical Impact on Users

While this vulnerability does not allow arbitrary code execution by itself, it poses two concrete risks. First, an out-of-bounds read can leak sensitive kernel memory contents, such as cryptographic keys or other processes' data, to an unprivileged user who can read directory listings. Second, repeated OOB reads can trigger a kernel panic, causing a denial-of-service condition.

Importantly, exploitation requires the ability to mount a malicious Ext4 filesystem. This means an attacker would need physical access to the system or the ability to trick a user into mounting a crafted image. In cloud or container environments, a malicious container image could also exploit the flaw if it includes a crafted Ext4 filesystem.

The Fix: A One-Line Change

The patch, authored by Jan Kara and merged into the mainline kernel on March 10, 2026, adds a single validation check. The fix ensures that each directory entry's rec_len is at least sizeof(struct ext4_dir_entry_2) before proceeding with further processing. This prevents the kernel from reading past the entry into adjacent memory.

The commit message explains: \"Add a check that rec_len is at least the size of the structure. This prevents out-of-bounds reads when processing corrupted directory entries.\"

Affected Versions and Mitigation

All Linux kernels from version 6.12 up to but not including the fix commit are affected. The fix was backported to stable kernels 6.12.15, 6.13.10, and 6.14.2. Users should update to these or later versions immediately. Distributions such as Ubuntu, Debian, Red Hat, and SUSE have released patched kernels.

For systems that cannot be immediately updated, a workaround is to avoid mounting untrusted Ext4 filesystem images. This includes external drives, downloaded disk images, and container images. However, this is not a complete mitigation for environments where users regularly mount filesystems.

Technical Deep Dive

The Ext4 filesystem stores directory entries in a linear array within filesystem blocks. Each entry begins with an ext4_dir_entry_2 structure, which contains:

  • inode: 4 bytes, the inode number
  • rec_len: 2 bytes, total entry length
  • name_len: 1 byte, length of the filename
  • file_type: 1 byte, file type indicator
  • name: variable-length filename

The kernel reads these entries in a loop. The vulnerable code path in ext4_readdir did:

while ((char *)de < (char *)bh->b_data + blocksize) {
    if (de->rec_len < sizeof(*de))
        break;  // This check was missing
    // ... process entry
    de = (struct ext4_dir_entry_2 *)((char *)de + de->rec_len);
}

The missing check allowed a rec_len of, say, 4 bytes. The kernel would then treat the next 4 bytes as the start of a new entry, reading beyond the actual allocated buffer.

Community Response

On the Linux kernel mailing list, the patch received quick approval. Maintainer Theodore Ts'o commented: \"This is a straightforward fix that closes a hole we should have caught earlier. Thanks to Jan for catching it.\"

Some developers noted that while the bug is not remotely exploitable, its presence in core filesystem code underscores the importance of rigorous bounds checking. \"We've been burned by similar issues in the past,\" wrote one contributor. \"Ext4 is battle-tested, but every new feature adds surface area.\"

Conclusion

CVE-2026-31449 serves as a reminder that even mature filesystems can harbor subtle memory safety bugs. The fix is minimal but critical for systems handling untrusted Ext4 images. Users should prioritize updating their kernels to the latest stable release.

For Windows users running Linux in WSL or virtual machines, ensure your distribution's kernel is updated. Microsoft's WSL2 kernel is based on the mainline Linux kernel and will receive the fix through Windows Update once integrated.