Linux Kernel: iomap folio access flaw from i_blkbits granularity mis-match
CVE-2026-31463 Published on April 22, 2026
iomap: fix invalid folio access when i_blkbits differs from I/O granularity
In the Linux kernel, the following vulnerability has been resolved:
iomap: fix invalid folio access when i_blkbits differs from I/O granularity
Commit aa35dd5cbc06 ("iomap: fix invalid folio access after
folio_end_read()") partially addressed invalid folio access for folios
without an ifs attached, but it did not handle the case where
1 << inode->i_blkbits matches the folio size but is different from the
granularity used for the IO, which means IO can be submitted for less
than the full folio for the !ifs case.
In this case, the condition:
if (*bytes_submitted == folio_len)
ctx->cur_folio = NULL;
in iomap_read_folio_iter() will not invalidate ctx->cur_folio, and
iomap_read_end() will still be called on the folio even though the IO
helper owns it and will finish the read on it.
Fix this by unconditionally invalidating ctx->cur_folio for the !ifs
case.
Products Associated with CVE-2026-31463
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version b2f35ac4146d32d4424aaa941bbc681f12c1b9e6 and below 4a927f670cdb0def226f9f85f42a9f19d9e09c88 is affected.
- Version b2f35ac4146d32d4424aaa941bbc681f12c1b9e6 and below bd71fb3fea9945987053968f028a948997cba8cc is affected.
- Version 6.19 is affected.
- Before 6.19 is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.