{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"
            },
            {
              "fixed": "1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5"
            },
            {
              "fixed": "9e2d67fb2b73eeff8b601e26b332128eae8147bb"
            },
            {
              "fixed": "a69a0c5156b6f0092b9fcf44517f5831a962de2d"
            },
            {
              "fixed": "32e0b925572686399243834ec99e2a9d85c62eae"
            },
            {
              "fixed": "d3af04a43db86379df7438bf8bade71685b8a239"
            },
            {
              "fixed": "2dde6377ab2e46bb80cf066c659ef016f3ad7a9b"
            },
            {
              "fixed": "470264bbec499e276a89a6431144ae58f411ea4d"
            },
            {
              "fixed": "25947cc5b2374cd5bf627fe3141496444260d04f"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.12"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.86"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.27"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46002.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\next2: reject inodes with zero i_nlink and valid mode in ext2_iget()\n\next2_iget() already rejects inodes with i_nlink == 0 when i_mode is\nzero or i_dtime is set, treating them as deleted. However, the case of\ni_nlink == 0 with a non-zero mode and zero dtime slips through. Since\next2 has no orphan list, such a combination can only result from\nfilesystem corruption - a legitimate inode deletion always sets either\ni_dtime or clears i_mode before freeing the inode.\n\nA crafted image can exploit this gap to present such an inode to the\nVFS, which then triggers WARN_ON inside drop_nlink() (fs/inode.c) via\next2_unlink(), ext2_rename() and ext2_rmdir():\n\nWARNING: CPU: 3 PID: 609 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 3 UID: 0 PID: 609 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n \u003cTASK\u003e\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_unlink+0x26c/0x300 fs/ext2/namei.c:295\n vfs_unlink+0x2fc/0x9b0 fs/namei.c:4477\n do_unlinkat+0x53e/0x730 fs/namei.c:4541\n __x64_sys_unlink+0xc6/0x110 fs/namei.c:4587\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nWARNING: CPU: 0 PID: 646 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 646 Comm: syz.0.17 Not tainted 6.12.77+ #1\nCall Trace:\n \u003cTASK\u003e\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rename+0x35e/0x850 fs/ext2/namei.c:374\n vfs_rename+0xf2f/0x2060 fs/namei.c:5021\n do_renameat2+0xbe2/0xd50 fs/namei.c:5178\n __x64_sys_rename+0x7e/0xa0 fs/namei.c:5223\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nWARNING: CPU: 0 PID: 634 at fs/inode.c:336 drop_nlink+0xad/0xd0 fs/inode.c:336\nCPU: 0 UID: 0 PID: 634 Comm: syz-executor Not tainted 6.12.77+ #1\nCall Trace:\n \u003cTASK\u003e\n inode_dec_link_count include/linux/fs.h:2518 [inline]\n ext2_rmdir+0xca/0x110 fs/ext2/namei.c:311\n vfs_rmdir+0x204/0x690 fs/namei.c:4348\n do_rmdir+0x372/0x3e0 fs/namei.c:4407\n __x64_sys_unlinkat+0xf0/0x130 fs/namei.c:4577\n do_syscall_64+0xf5/0x220 arch/x86/entry/common.c:78\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\n \u003c/TASK\u003e\n\nExtend the existing i_nlink == 0 check to also catch this case,\nreporting the corruption via ext2_error() and returning -EFSCORRUPTED.\nThis rejects the inode at load time and prevents it from reaching any\nof the namei.c paths.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.",
  "id": "CVE-2026-46002",
  "modified": "2026-07-15T01:48:56.819210232Z",
  "published": "2026-05-27T12:55:57.898Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1b80cf48bcf0e1937af9cd6c7beb188762bbf7c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/25947cc5b2374cd5bf627fe3141496444260d04f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2dde6377ab2e46bb80cf066c659ef016f3ad7a9b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/32e0b925572686399243834ec99e2a9d85c62eae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/470264bbec499e276a89a6431144ae58f411ea4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e2d67fb2b73eeff8b601e26b332128eae8147bb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a69a0c5156b6f0092b9fcf44517f5831a962de2d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3af04a43db86379df7438bf8bade71685b8a239"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46002.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46002"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "summary": "ext2: reject inodes with zero i_nlink and valid mode in ext2_iget()"
}