Skip to main content

Linux Kernel CVE-2026-43118

| EUVDEUVD-2026-27645 MEDIUM
2026-05-06 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 20:00 vuln.today
CVSS changed
May 08, 2026 - 17:37 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 11:31 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix zero size inode with non-zero size after log replay

When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to 0. This is to signal during log replay (in overwrite_item()), that we should not set the i_size since we only logged that an inode exists, so the i_size of the inode in the subvolume tree must be preserved (as when we log new names or that an inode exists, we don't log extents).

This works fine except when we have already logged an inode in full mode or it's the first time we are logging an inode created in a past transaction, that inode has a new i_size of 0 and then we log a new name for the inode (due to a new hardlink or a rename), in which case we log an i_size of 0 for the inode and a generation of 0, which causes the log replay code to not update the inode's i_size to 0 (in overwrite_item()).

An example scenario:

mkdir /mnt/dir xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo

sync

xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo

ln /mnt/dir/foo /mnt/dir/bar

xfs_io -c "fsync" /mnt/dir

<power fail>

After log replay the file remains with a size of 64K. This is because when we first log the inode, when we fsync file foo, we log its current i_size of 0, and then when we create a hard link we log again the inode in exists mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we add to the log tree, so during log replay overwrite_item() sees that the generation is 0 and i_size is 0 so we skip updating the inode's i_size from 64K to 0.

Fix this by making sure at fill_inode_item() we always log the real generation of the inode if it was logged in the current transaction with the i_size we logged before. Also if an inode created in a previous transaction is logged in exists mode only, make sure we log the i_size stored in the inode item located from the commit root, so that if we log multiple times that the inode exists we get the correct i_size.

A test case for fstests will follow soon.

AnalysisAI

Data corruption in Linux kernel btrfs filesystem log replay allows local authenticated attackers to cause files to retain incorrect sizes after crash recovery. When a file is truncated to zero bytes, fssynced, and then a hardlink is created, the file incorrectly retains its pre-truncation size after a power failure and log replay, resulting in data integrity violation with availability impact.

Technical ContextAI

The vulnerability exists in the btrfs filesystem's transaction log (journal) replay mechanism, specifically in the fill_inode_item() and overwrite_item() functions. When logging inode existence without full extent data (LOG_INODE_EXISTS mode), the kernel sets generation to 0 as a signal to skip i_size updates during replay. However, when an inode is first logged in full mode with i_size=0 and subsequently logged in exists mode (e.g., during hardlink creation), the generation remains 0 while i_size is 0, causing the replay logic to incorrectly preserve the old i_size instead of updating it. The fix ensures the real generation is logged when an inode was modified in the current transaction and ensures correct i_size is logged for inodes created in previous transactions. CWE data not provided in source materials.

RemediationAI

Apply the upstream Linux kernel patch available at git.kernel.org/stable/ commits fddb157536e67a055597f00a8b4922d5f5ed0826, 03e966b63df5b06790310c1faaf3e0cb43adea8b, or 5254d4181add9dfaa5e3519edd71cc8f752b2f85 depending on kernel branch. Users should upgrade to Linux 6.18.24, 6.19.14, or 7.0 or later where available. For systems using btrfs and unable to patch immediately, workarounds include disabling btrfs checksumming if data integrity can be verified through other means, or avoiding hardlinks and renames immediately after truncate operations followed by fsync. However, these workarounds reduce data protection and are not recommended-kernel upgrade is the proper remediation. The fix modifies fill_inode_item() to preserve real inode generation during logging and ensures correct i_size is logged for inodes created in previous transactions, with no expected side effects to normal filesystem operations.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy