Skip to main content

Linux Kernel XFS CVE-2026-43365

| EUVDEUVD-2026-28671 HIGH
2026-05-08 Linux GHSA-gf37-6wm7-r3cm
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 08:28 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
8.2 (HIGH)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
HIGH 8.2
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfs: fix undersized l_iclog_roundoff values

If the superblock doesn't list a log stripe unit, we set the incore log roundoff value to 512. This leads to corrupt logs and unmountable filesystems in generic/617 on a disk with 4k physical sectors...

XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Torn write (CRC failure) detected at log block 0x318e. Truncating head block from 0x3197. XFS (sda1): failed to locate log tail XFS (sda1): log mount/recovery failed: error -74 XFS (sda1): log mount failed XFS (sda1): Mounting V5 Filesystem ff3121ca-26e6-4b77-b742-aaff9a449e1c XFS (sda1): Ending clean mount

...on the current xfsprogs for-next which has a broken mkfs. xfs_info shows this...

meta-data=/dev/sda1 isize=512 agcount=4, agsize=644992 blks = sectsz=4096 attr=2, projid32bit=1 = crc=1 finobt=1, sparse=1, rmapbt=1 = reflink=1 bigtime=1 inobtcount=1 nrext64=1 = exchange=1 metadir=1 data = bsize=4096 blocks=2579968, imaxpct=25 = sunit=0 swidth=0 blks naming =version 2 bsize=4096 ascii-ci=0, ftype=1, parent=1 log =internal log bsize=4096 blocks=16384, version=2 = sectsz=4096 sunit=0 blks, lazy-count=1 realtime =none extsz=4096 blocks=0, rtextents=0 = rgcount=0 rgsize=268435456 extents = zoned=0 start=0 reserved=0

...observe that the log section has sectsz=4096 sunit=0, which means that the roundoff factor is 512, not 4096 as you'd expect. We should fix mkfs not to generate broken filesystems, but anyone can fuzz the ondisk superblock so we should be more cautious. I think the inadequate logic predates commit a6a65fef5ef8d0, but that's clearly going to require a different backport.

AnalysisAI

Log corruption in Linux kernel XFS filesystem leads to mount failures and potential data integrity loss when superblock lacks log stripe unit configuration. Systems with 4k physical sector disks are vulnerable to torn writes and CRC failures that prevent filesystem mounting. Vendor-released patches available across multiple stable kernel branches (5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, 7.0). EPSS score of 0.02% suggests low exploitation probability. No active exploitation confirmed (not in CISA KEV). CVSS 8.2 reflects network vector but description indicates local filesystem operation - attack vector discrepancy requires verification.

Technical ContextAI

This vulnerability affects the XFS filesystem's log management subsystem in the Linux kernel. XFS uses a circular log to maintain filesystem consistency through transactions. The l_iclog_roundoff parameter controls alignment of log writes to physical storage boundaries. When a filesystem is created without specifying a log stripe unit (sunit=0 in superblock), the kernel incorrectly defaults the roundoff value to 512 bytes rather than matching the physical sector size. On modern storage with 4k physical sectors, this mismatch causes the log manager to write records that don't align with sector boundaries, resulting in torn writes where partial sector updates create inconsistent on-disk state. The XFS log recovery code detects these as CRC failures during mount operations. The vulnerability traces back to commit a6a65fef5ef8d0 and affects log initialization logic in the XFS mount path. CPE data confirms this impacts the core Linux kernel XFS driver across multiple stable branches from 5.14 onward.

RemediationAI

Upgrade to patched kernel versions: 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.19, 6.19.9, or 7.0 depending on your stable branch. Upstream fixes available in commits 5afae524f83d, 2ecda4b83749, 41e91dff2d39, e88ce9f0536f, 446a1f5bb64b, 5e7148402dfc, and 52a8a1ba883d accessible via git.kernel.org stable tree. For systems that cannot immediately patch, avoid creating new XFS filesystems using mkfs.xfs versions from xfsprogs for-next branch identified as generating broken superblocks. Existing properly-formatted filesystems are not at risk unless superblock is corrupted or fuzzed. If experiencing mount failures with 'Torn write (CRC failure)' and 'failed to locate log tail' errors on 4k sector disks, verify filesystem was not created with sunit=0 and sectsz mismatch using xfs_info. Workaround for critical systems: recreate affected filesystems with explicit -l sunit parameter matching physical sector size, though this requires data backup and restoration. Note that applying kernel patch does not repair existing malformed filesystems - it only prevents the kernel from accepting undersized roundoff values during mount. Recovery of affected filesystems may require xfs_repair from patched xfsprogs.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy