CVE-2026-31463

Source
https://cve.org/CVERecord?id=CVE-2026-31463
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31463.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31463
Downstream
Published
2026-04-22T13:53:54.224Z
Modified
2026-07-08T08:06:21.380069642Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
iomap: fix invalid folio access when i_blkbits differs from I/O granularity
Details

In the Linux kernel, the following vulnerability has been resolved:

iomap: fix invalid folio access when i_blkbits differs from I/O granularity

Commit aa35dd5cbc06 ("iomap: fix invalid folio access after folioendread()") partially addressed invalid folio access for folios without an ifs attached, but it did not handle the case where 1 << inode->i_blkbits matches the folio size but is different from the granularity used for the IO, which means IO can be submitted for less than the full folio for the !ifs case.

In this case, the condition:

if (*bytessubmitted == foliolen) ctx->cur_folio = NULL;

in iomapreadfolioiter() will not invalidate ctx->curfolio, and iomapreadend() will still be called on the folio even though the IO helper owns it and will finish the read on it.

Fix this by unconditionally invalidating ctx->cur_folio for the !ifs case.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31463.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b2f35ac4146d32d4424aaa941bbc681f12c1b9e6
Fixed
4a927f670cdb0def226f9f85f42a9f19d9e09c88
Fixed
bd71fb3fea9945987053968f028a948997cba8cc

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31463.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31463.json"