NuytsTech Security

CVE-2026-46094

by ·

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access

The bounds check for the next xattr entry in check_xattrs() uses
(void *)next >= end, which allows next to point within sizeof(u32)
bytes of end. On the next loop iteration, IS_LAST_ENTRY() reads 4
bytes via *(__u32 *)(entry), which can overrun the valid xattr region.

For example, if next lands at end – 1, the check passes since
next < end, but IS_LAST_ENTRY() reads 4 bytes starting at end - 1, accessing 3 bytes beyond the valid region. Fix this by changing the check to (void *)next + sizeof(u32) > end,
ensuring there is always enough space for the IS_LAST_ENTRY() read
on the subsequent iteration.

More information : https://git.kernel.org/stable/c/520986722dbf869c122252123fc161c7302eab7d

Tags: