PT-2026-43869 · Linux · Linux
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-46002
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
ext2: reject inodes with zero i nlink and valid mode in ext2 iget()
ext2 iget() already rejects inodes with i nlink == 0 when i mode is
zero or i dtime is set, treating them as deleted. However, the case of
i nlink == 0 with a non-zero mode and zero dtime slips through. Since
ext2 has no orphan list, such a combination can only result from
filesystem corruption - a legitimate inode deletion always sets either
i dtime or clears i mode before freeing the inode.
A crafted image can exploit this gap to present such an inode to the
VFS, which then triggers WARN ON inside drop nlink() (fs/inode.c) via
ext2 unlink(), ext2 rename() and ext2 rmdir():
WARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop nlink+0xad/0xd0 fs/inode.c:336
CPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1
Call Trace:
inode dec link count include/linux/fs.h:2518 [inline]
ext2 unlink+0x26c/0x300 fs/ext2/namei.c:295
vfs unlink+0x2fc/0x9b0 fs/namei.c:4477
do unlinkat+0x53e/0x730 fs/namei.c:4541
x64 sys unlink+0xc6/0x110 fs/namei.c:4587
do syscall 64+0xf5/0x220 arch/x86/entry/common.c:78
entry SYSCALL 64 after hwframe+0x77/0x7f
WARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop nlink+0xad/0xd0 fs/inode.c:336
CPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1
Call Trace:
inode dec link count include/linux/fs.h:2518 [inline]
ext2 rename+0x35e/0x850 fs/ext2/namei.c:374
vfs rename+0xf2f/0x2060 fs/namei.c:5021
do renameat2+0xbe2/0xd50 fs/namei.c:5178
x64 sys rename+0x7e/0xa0 fs/namei.c:5223
do syscall 64+0xf5/0x220 arch/x86/entry/common.c:78
entry SYSCALL 64 after hwframe+0x77/0x7f
WARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop nlink+0xad/0xd0 fs/inode.c:336
CPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1
Call Trace:
inode dec link count include/linux/fs.h:2518 [inline]
ext2 rmdir+0xca/0x110 fs/ext2/namei.c:311
vfs rmdir+0x204/0x690 fs/namei.c:4348
do rmdir+0x372/0x3e0 fs/namei.c:4407
x64 sys unlinkat+0xf0/0x130 fs/namei.c:4577
do syscall 64+0xf5/0x220 arch/x86/entry/common.c:78
entry SYSCALL 64 after hwframe+0x77/0x7f
Extend the existing i nlink == 0 check to also catch this case,
reporting the corruption via ext2 error() and returning -EFSCORRUPTED.
This rejects the inode at load time and prevents it from reaching any
of the namei.c paths.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux