{
  "threat_severity" : "Low",
  "public_date" : "2026-05-27T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()",
    "id" : "2482081",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2482081"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-1288",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\next2: reject inodes with zero i_nlink and valid mode in ext2_iget()\next2_iget() already rejects inodes with i_nlink == 0 when i_mode is\nzero or i_dtime is set, treating them as deleted. However, the case of\ni_nlink == 0 with a non-zero mode and zero dtime slips through. Since\next2 has no orphan list, such a combination can only result from\nfilesystem corruption - a legitimate inode deletion always sets either\ni_dtime or clears i_mode before freeing the inode.\nA crafted image can exploit this gap to present such an inode to the\nVFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via\next2_unlink(), ext2_rename() and ext2_rmdir():\nWARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n<TASK>\ninode_dec_link_count include/linux/fs.h:2518 [inline]\next2_unlink+0x26c/0x300 fs/ext2/namei.c:295\nvfs_unlink+0x2fc/0x9b0 fs/namei.c:4477\ndo_unlinkat+0x53e/0x730 fs/namei.c:4541\n__x64_sys_unlink+0xc6/0x110 fs/namei.c:4587\ndo_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n</TASK>\nWARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1\nCall Trace:\n<TASK>\ninode_dec_link_count include/linux/fs.h:2518 [inline]\next2_rename+0x35e/0x850 fs/ext2/namei.c:374\nvfs_rename+0xf2f/0x2060 fs/namei.c:5021\ndo_renameat2+0xbe2/0xd50 fs/namei.c:5178\n__x64_sys_rename+0x7e/0xa0 fs/namei.c:5223\ndo_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n</TASK>\nWARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n<TASK>\ninode_dec_link_count include/linux/fs.h:2518 [inline]\next2_rmdir+0xca/0x110 fs/ext2/namei.c:311\nvfs_rmdir+0x204/0x690 fs/namei.c:4348\ndo_rmdir+0x372/0x3e0 fs/namei.c:4407\n__x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577\ndo_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\n</TASK>\nExtend the existing i_nlink == 0 check to also catch this case,\nreporting the corruption via ext2_error() and returning -EFSCORRUPTED.\nThis rejects the inode at load time and prevents it from reaching any\nof the namei.c paths.\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.", "A flaw was found in the Linux kernel's ext2 filesystem. A local attacker could create a specially crafted filesystem image with malformed inodes (index nodes) that, when mounted, would not be properly rejected by the ext2_iget() function. This could lead to a kernel warning and potentially a system crash, resulting in a Denial of Service (DoS)." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46002\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46002\nhttps://lore.kernel.org/linux-cve-announce/2026052742-CVE-2026-46002-002d@gregkh/T" ],
  "name" : "CVE-2026-46002",
  "csaw" : false
}