{"schema_version":"1.7.2","id":"OESA-2026-2233","modified":"2026-05-09T12:32:30Z","published":"2026-05-09T12:32:30Z","upstream":["CVE-2026-31449","CVE-2026-31450"],"summary":"kernel security update","details":"The Linux Kernel, the operating system core itself.\r\n\r\nSecurity Fix(es):\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\next4: validate p_idx bounds in ext4_ext_correct_indexes\n\next4_ext_correct_indexes() walks up the extent tree correcting\nindex entries when the first extent in a leaf is modified. Before\naccessing path[k].p_idx->ei_block, there is no validation that\np_idx falls within the valid range of index entries for that\nlevel.\n\nIf the on-disk extent header contains a corrupted or crafted\neh_entries value, p_idx can point past the end of the allocated\nbuffer, causing a slab-out-of-bounds read.\n\nFix this by validating path[k].p_idx against EXT_LAST_INDEX() at\nboth access sites: before the while loop and inside it. Return\n-EFSCORRUPTED if the index pointer is out of range, consistent\nwith how other bounds violations are handled in the ext4 extent\ntree code.(CVE-2026-31449)\n\nIn the Linux kernel, the following vulnerability has been resolved:\n\next4: publish jinode after initialization\n\next4_inode_attach_jinode() publishes ei->jinode to concurrent users.\nIt used to set ei->jinode before jbd2_journal_init_jbd_inode(),\nallowing a reader to observe a non-NULL jinode with i_vfs_inode\nstill unset.\n\nThe fast commit flush path can then pass this jinode to\njbd2_wait_inode_data(), which dereferences i_vfs_inode->i_mapping and\nmay crash.\n\nBelow is the crash I observe:\n```\nBUG: unable to handle page fault for address: 000000010beb47f4\nPGD 110e51067 P4D 110e51067 PUD 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 1 UID: 0 PID: 4850 Comm: fc_fsync_bench_ Not tainted 6.18.0-00764-g795a690c06a5 #1 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.17.0-2-2 04/01/2014\nRIP: 0010:xas_find_marked+0x3d/0x2e0\nCode: e0 03 48 83 f8 02 0f 84 f0 01 00 00 48 8b 47 08 48 89 c3 48 39 c6 0f 82 fd 01 00 00 48 85 c9 74 3d 48 83 f9 03 77 63 4c 8b 0f <49> 8b 71 08 48 c7 47 18 00 00 00 00 48 89 f1 83 e1 03 48 83 f9 02\nRSP: 0018:ffffbbee806e7bf0 EFLAGS: 00010246\nRAX: 000000000010beb4 RBX: 000000000010beb4 RCX: 0000000000000003\nRDX: 0000000000000001 RSI: 0000002000300000 RDI: ffffbbee806e7c10\nRBP: 0000000000000001 R08: 0000002000300000 R09: 000000010beb47ec\nR10: ffff9ea494590090 R11: 0000000000000000 R12: 0000002000300000\nR13: ffffbbee806e7c90 R14: ffff9ea494513788 R15: ffffbbee806e7c88\nFS: 00007fc2f9e3e6c0(0000) GS:ffff9ea6b1444000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 000000010beb47f4 CR3: 0000000119ac5000 CR4: 0000000000750ef0\nPKRU: 55555554\nCall Trace:\n<TASK>\nfilemap_get_folios_tag+0x87/0x2a0\n__filemap_fdatawait_range+0x5f/0xd0\n? srso_alias_return_thunk+0x5/0xfbef5\n? __schedule+0x3e7/0x10c0\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? cap_safe_nice+0x37/0x70\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\nfilemap_fdatawait_range_keep_errors+0x12/0x40\next4_fc_commit+0x697/0x8b0\n? ext4_file_write_iter+0x64b/0x950\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\n? srso_alias_return_thunk+0x5/0xfbef5\n? vfs_write+0x356/0x480\n? srso_alias_return_thunk+0x5/0xfbef5\n? preempt_count_sub+0x5f/0x80\next4_sync_file+0xf7/0x370\ndo_fsync+0x3b/0x80\n? syscall_trace_enter+0x108/0x1d0\n__x64_sys_fdatasync+0x16/0x20\ndo_syscall_64+0x62/0x2c0\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\n...\n```\n\nFix this by initializing the jbd2_inode first.\nUse smp_wmb() and WRITE_ONCE() to publish ei->jinode after\ninitialization. Readers use READ_ONCE() to fetch the pointer.(CVE-2026-31450)","affected":[{"package":{"ecosystem":"openEuler:20.03-LTS-SP4","name":"kernel","purl":"pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.90-2605.2.0.0371.oe2003sp4"}]}],"ecosystem_specific":{"aarch64":["bpftool-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","bpftool-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","kernel-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","kernel-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","kernel-debugsource-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","kernel-devel-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","kernel-source-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","kernel-tools-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","kernel-tools-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","kernel-tools-devel-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","perf-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","perf-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","python2-perf-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","python2-perf-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","python3-perf-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm","python3-perf-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.aarch64.rpm"],"src":["kernel-4.19.90-2605.2.0.0371.oe2003sp4.src.rpm"],"x86_64":["bpftool-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","bpftool-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","kernel-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","kernel-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","kernel-debugsource-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","kernel-devel-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","kernel-source-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","kernel-tools-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","kernel-tools-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","kernel-tools-devel-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","perf-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","perf-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","python2-perf-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","python2-perf-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","python3-perf-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm","python3-perf-debuginfo-4.19.90-2605.2.0.0371.oe2003sp4.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2233"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31449"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31450"}],"database_specific":{"severity":"High"}}