Skip to main content

Linux Kernel CVE-2026-43067

| EUVDEUVD-2026-27368 CRITICAL
2026-05-05 Linux
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:22 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
9.8 (CRITICAL)
Patch available
May 05, 2026 - 17:31 EUVD
CVE Published
May 05, 2026 - 15:23 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ext4: handle wraparound when searching for blocks for indirect mapped blocks

Commit 4865c768b563 ("ext4: always allocate blocks only from groups inode can use") restricts what blocks will be allocated for indirect block based files to block numbers that fit within 32-bit block numbers.

However, when using a review bot running on the latest Gemini LLM to check this commit when backporting into an LTS based kernel, it raised this concern:

If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal group was populated via stream allocation from s_mb_last_groups), then start will be >= ngroups.

Does this allow allocating blocks beyond the 32-bit limit for indirect block mapped files? The commit message mentions that ext4_mb_scan_groups_linear() takes care to not select unsupported groups. However, its loop uses group = *start, and the very first iteration will call ext4_mb_scan_group() with this unsupported group because next_linear_group() is only called at the end of the iteration.

After reviewing the code paths involved and considering the LLM review, I determined that this can happen when there is a file system where some files/directories are extent-mapped and others are indirect-block mapped. To address this, add a safety clamp in ext4_mb_scan_groups().

AnalysisAI

Linux kernel ext4 filesystem improperly handles block group wraparound in ext4_mb_scan_groups(), allowing allocation of blocks beyond 32-bit limits for indirect-mapped files when stream allocation selects unsupported groups. While CVSS assigns network vector (9.8), this is a local kernel memory corruption issue requiring local filesystem access. EPSS score of 0.02% (7th percentile) indicates low real-world exploitation probability. Patches available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.80, 6.18.21, 6.19.11). No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.

Technical ContextAI

The ext4 filesystem in Linux uses two methods for tracking file blocks: modern extent-based mapping and legacy indirect block mapping. Indirect-mapped files are restricted to 32-bit block numbers for compatibility. Commit 4865c768b563 attempted to enforce this by limiting block allocation to groups within 32-bit range. However, the fix contained a logic flaw in ext4_mb_scan_groups_linear(): when stream allocation populates ac_g_ex.fe_group from s_mb_last_groups cache with a group number >= ngroups, the function passes this unsupported group directly to ext4_mb_scan_group() on the first iteration before next_linear_group() performs wraparound validation. This violates the 32-bit constraint and could corrupt filesystem metadata or cause out-of-bounds access. The vulnerability affects mixed-mode filesystems where both extent-mapped and indirect-mapped files coexist. The patch adds a safety clamp to prevent group numbers from exceeding valid ranges before scanning begins.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.168 or later for 6.1.x branch, 6.6.134 or later for 6.6.x, 6.12.80 or later for 6.12.x, 6.18.21 or later for 6.18.x, 6.19.11 or later for 6.19.x series. Patch commits available at https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f (mainline) and branch-specific commits f89bba144938, 83170a05908b, 4bec4a498ce8, 12624c5b724a, 2a368ccddfc4. If immediate kernel upgrade is not feasible, mitigating controls include: (1) converting all indirect-mapped files to extent-mapped format using e4defrag on affected filesystems - eliminates vulnerable code path but requires filesystem downtime and may break compatibility with legacy tools expecting indirect format, (2) disabling stream allocation by setting mballoc stream_req=0 mount option - reduces performance for concurrent allocations but prevents s_mb_last_groups cache from populating with out-of-range groups, (3) restricting local user filesystem access on multi-tenant systems via mandatory access controls (SELinux, AppArmor) - limits attack surface but does not eliminate risk from privileged processes. No workaround fully mitigates without patching.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43067 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy