{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-46002","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.091Z","datePublished":"2026-05-27T12:55:57.898Z","dateUpdated":"2026-06-14T17:47:19.832Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-14T17:47:19.832Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next2: reject inodes with zero i_nlink and valid mode in ext2_iget()\n\next2_iget() already rejects inodes with i_nlink == 0 when i_mode is\nzero or i_dtime is set, treating them as deleted. However, the case of\ni_nlink == 0 with a non-zero mode and zero dtime slips through. Since\next2 has no orphan list, such a combination can only result from\nfilesystem corruption - a legitimate inode deletion always sets either\ni_dtime or clears i_mode before freeing the inode.\n\nA crafted image can exploit this gap to present such an inode to the\nVFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via\next2_unlink(), ext2_rename() and ext2_rmdir():\n\nWARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295\n vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477\n do_unlinkat+0x53e/0x730 fs/namei.c:4541\n __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nWARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rename+0x35e/0x850 fs/ext2/namei.c:374\n vfs_rename+0xf2f/0x2060 fs/namei.c:5021\n do_renameat2+0xbe2/0xd50 fs/namei.c:5178\n __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nWARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n <TASK>\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311\n vfs_rmdir+0x204/0x690 fs/namei.c:4348\n do_rmdir+0x372/0x3e0 fs/namei.c:4407\n __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n </TASK>\n\nExtend the existing i_nlink == 0 check to also catch this case,\nreporting the corruption via ext2_error() and returning -EFSCORRUPTED.\nThis rejects the inode at load time and prevents it from reaching any\nof the namei.c paths.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext2/inode.c"],"versions":[{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"9e2d67fb2b73eeff8b601e26b332128eae8147bb","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"a69a0c5156b6f0092b9fcf44517f5831a962de2d","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"32e0b925572686399243834ec99e2a9d85c62eae","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"d3af04a43db86379df7438bf8bade71685b8a239","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"2dde6377ab2e46bb80cf066c659ef016f3ad7a9b","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"470264bbec499e276a89a6431144ae58f411ea4d","status":"affected","versionType":"git"},{"version":"1da177e4c3f41524e886b7f1b8a0c1fc7321cac2","lessThan":"25947cc5b2374cd5bf627fe3141496444260d04f","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext2/inode.c"],"versions":[{"version":"2.6.12","status":"affected"},{"version":"0","lessThan":"2.6.12","status":"unaffected","versionType":"semver"},{"version":"5.10.258","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.209","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.175","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.86","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.27","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"5.10.258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"5.15.209"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.1.175"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.12.86"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"6.18.27"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"7.0.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5"},{"url":"https://git.kernel.org/stable/c/9e2d67fb2b73eeff8b601e26b332128eae8147bb"},{"url":"https://git.kernel.org/stable/c/a69a0c5156b6f0092b9fcf44517f5831a962de2d"},{"url":"https://git.kernel.org/stable/c/32e0b925572686399243834ec99e2a9d85c62eae"},{"url":"https://git.kernel.org/stable/c/d3af04a43db86379df7438bf8bade71685b8a239"},{"url":"https://git.kernel.org/stable/c/2dde6377ab2e46bb80cf066c659ef016f3ad7a9b"},{"url":"https://git.kernel.org/stable/c/470264bbec499e276a89a6431144ae58f411ea4d"},{"url":"https://git.kernel.org/stable/c/25947cc5b2374cd5bf627fe3141496444260d04f"}],"title":"ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()","x_generator":{"engine":"bippy-1.2.0"}}}}