U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. Vulnerabilities

CVE-2026-31452 Detail

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: convert inline data to extents when truncate exceeds inline size Add a check in ext4_setattr() to convert files from inline data storage to extent-based storage when truncate() grows the file size beyond the inline capacity. This prevents the filesystem from entering an inconsistent state where the inline data flag is set but the file size exceeds what can be stored inline. Without this fix, the following sequence causes a kernel BUG_ON(): 1. Mount filesystem with inode that has inline flag set and small size 2. truncate(file, 50MB) - grows size but inline flag remains set 3. sendfile() attempts to write data 4. ext4_write_inline_data() hits BUG_ON(write_size > inline_capacity) The crash occurs because ext4_write_inline_data() expects inline storage to accommodate the write, but the actual inline capacity (~60 bytes for i_block + ~96 bytes for xattrs) is far smaller than the file size and write request. The fix checks if the new size from setattr exceeds the inode's actual inline capacity (EXT4_I(inode)->i_inline_size) and converts the file to extent-based storage before proceeding with the size change. This addresses the root cause by ensuring the inline data flag and file size remain consistent during truncate operations.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
https://git.kernel.org/stable/c/07c1a31af18290054da3d18221b8bf58983c5d3a kernel.org Patch 
https://git.kernel.org/stable/c/110d7ef602659ce4d7947c5480f7ca2779696aaf kernel.org Patch 
https://git.kernel.org/stable/c/699bac4d4c951974d55b045c983d1de777215949 kernel.org Patch 
https://git.kernel.org/stable/c/7920dcc571cef3d8aa9ee109c136125d61d41669 kernel.org Patch 
https://git.kernel.org/stable/c/93cb2d103e5c707de0f7ad58a39b7f0fddc27aa6 kernel.org Patch 
https://git.kernel.org/stable/c/c047332be7195833a5c5126816c2502df8269fe4 kernel.org Patch 
https://git.kernel.org/stable/c/ed9356a30e59c7cc3198e7fc46cfedf3767b9b17 kernel.org Patch 
https://git.kernel.org/stable/c/f53a5d9f32924bc2a810d2df243b7714da58b636 kernel.org Patch 

Weakness Enumeration

CWE-ID CWE Name Source
CWE-787 Out-of-bounds Write cwe source acceptance level NIST  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

2 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2026-31452
NVD Published Date:
04/22/2026
NVD Last Modified:
05/06/2026
Source:
kernel.org