Skip to main content

Linux Kernel CVE-2026-43053

| EUVDEUVD-2026-26652 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-05-01 Linux
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 07, 2026 - 18:37 vuln.today
CVSS changed
May 07, 2026 - 18:37 NVD
4.7 (MEDIUM)
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26652
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 4.7
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfs: close crash window in attr dabtree inactivation

When inactivating an inode with node-format extended attributes, xfs_attr3_node_inactive() invalidates all child leaf/node blocks via xfs_trans_binval(), but intentionally does not remove the corresponding entries from their parent node blocks. The implicit assumption is that xfs_attr_inactive() will truncate the entire attr fork to zero extents afterwards, so log recovery will never reach the root node and follow those stale pointers.

However, if a log shutdown occurs after the leaf/node block cancellations commit but before the attr bmap truncation commits, this assumption breaks. Recovery replays the attr bmap intact (the inode still has attr fork extents), but suppresses replay of all cancelled leaf/node blocks, maybe leaving them as stale data on disk. On the next mount, xlog_recover_process_iunlinks() retries inactivation and attempts to read the root node via the attr bmap. If the root node was not replayed, reading the unreplayed root block triggers a metadata verification failure immediately; if it was replayed, following its child pointers to unreplayed child blocks triggers the same failure:

XFS (pmem0): Metadata corruption detected at xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78 XFS (pmem0): Unmount and run xfs_repair XFS (pmem0): First 128 bytes of corrupted metadata buffer: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ XFS (pmem0): metadata I/O error in "xfs_da_read_buf+0x104/0x190" at daddr 0x78 len 8 error 117

Fix this in two places:

In xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a child block, immediately remove the entry that references it from the parent node in the same transaction. This eliminates the window where the parent holds a pointer to a cancelled block. Once all children are removed, the now-empty root node is converted to a leaf block within the same transaction. This node-to-leaf conversion is necessary for crash safety. If the system shutdown after the empty node is written to the log but before the second-phase bmap truncation commits, log recovery will attempt to verify the root block on disk. xfs_da3_node_verify() does not permit a node block with count == 0; such a block will fail verification and trigger a metadata corruption shutdown. on the other hand, leaf blocks are allowed to have this transient state.

In xfs_attr_inactive(), split the attr fork truncation into two explicit phases. First, truncate all extents beyond the root block (the child extents whose parent references have already been removed above). Second, invalidate the root block and truncate the attr bmap to zero in a single transaction. The two operations in the second phase must be atomic: as long as the attr bmap has any non-zero length, recovery can follow it to the root block, so the root block invalidation must commit together with the bmap-to-zero truncation.

AnalysisAI

XFS filesystem crashes during log recovery when inodes with node-format extended attributes are inactivated following an untimely log shutdown, due to stale metadata block references in the attribute B-tree. Unprivileged local attackers with write access to XFS filesystems can trigger this denial-of-service condition by inducing log shutdown during extended attribute cleanup, causing the filesystem to unmount and require repair. The vulnerability affects Linux kernel versions prior to 6.19.12 and later stable branches.

Technical ContextAI

The XFS filesystem manages extended attributes using a B-tree (dabtree) structure. When an inode with node-format attributes is being inactivated (removed), the kernel invalidates child leaf and node blocks via xfs_trans_binval() while keeping parent node references intact, relying on a subsequent attribute fork truncation to clean up the entire structure. However, a crash window exists between block invalidation and fork truncation. If a log shutdown occurs during this window, log recovery replays the attribute fork extent map but suppresses replay of the cancelled child blocks, leaving stale pointers in parent nodes. During subsequent mount and inode inactivation retry, xlog_recover_process_iunlinks() attempts to follow these invalid pointers, triggering XFS metadata verification failures (CWE-367: Time-of-check Time-of-use race condition). The fix involves two coordination points: immediate parent reference removal after each child block invalidation in xfs_attr3_node_inactive(), and atomic two-phase attribute fork truncation in xfs_attr_inactive() to ensure the root block invalidation and bmap truncation commit together.

RemediationAI

Patch immediately to Linux kernel version 6.19.12 or later, or apply the upstream commits e5a3e3cdd9b3015ae79456c81beebfdbb5246c0f and b854e1c4eff3473b6d3a9ae74129ac5c48bc0b61 (https://git.kernel.org/stable/c/e5a3e3cdd9b3015ae79456c81beebfdbb5246c0f and https://git.kernel.org/stable/c/b854e1c4eff3473b6d3a9ae74129ac5c48bc0b61). For systems unable to update immediately, mitigate risk by ensuring stable power supply and avoiding unplanned shutdowns during extended attribute operations on XFS filesystems. If filesystem corruption is detected (XFS metadata corruption errors during mount), run xfs_repair to restore filesystem integrity before resuming operations. Long-term, maintain consistent kernel patching cadence and monitor xfs/attr-related fixes in stable kernel releases.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43053 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy