Skip to main content

Linux Kernel CVE-2026-43474

| EUVDEUVD-2026-28780 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-08 Linux GHSA-5h27-3wgq-g9cf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 13:23 vuln.today
CVSS changed
May 21, 2026 - 13:22 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:22 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fs: init flags_valid before calling vfs_fileattr_get

syzbot reported a uninit-value bug in [1].

Similar to the "*get" context where the kernel's internal file_kattr structure is initialized before calling vfs_fileattr_get(), we should use the same mechanism when using fa.

[1] BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 vfs_fileattr_get fs/file_attr.c:94 [inline] __do_sys_file_getattr fs/file_attr.c:416 [inline]

Local variable fa.i created at: __do_sys_file_getattr fs/file_attr.c:380 [inline] __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372

AnalysisAI

Denial of service via uninitialized kernel memory in the Linux kernel's FUSE filesystem handler allows a local low-privileged user to crash the kernel by invoking the file_getattr syscall against a FUSE-mounted file. Affected are Linux kernel versions from the initial git history through stable branches predating the 6.18.19, 6.19.9, and 7.0 patch releases. No public exploit is identified at time of analysis, and EPSS sits at 0.02% (4th percentile), reflecting very low observed exploitation probability with no CISA KEV listing.

Technical ContextAI

The vulnerability resides in fs/file_attr.c within the Linux kernel's VFS layer, specifically in the __do_sys_file_getattr syscall handler at line 380. A local file_kattr structure (fa) is allocated on the stack but its flags_valid field is not initialized before being passed to vfs_fileattr_get(). The FUSE (Filesystem in Userspace) driver's fuse_fileattr_get routine at fs/fuse/ioctl.c:517 then consumes this structure and reads the uninitialized flags_valid field, violating CWE-908 (Use of Uninitialized Resource). KMSAN (Kernel Memory Sanitizer) detected this as an uninit-value read during kernel testing. The CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* indicates all Linux kernel versions from the initial commit (1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) are nominally in scope until the respective patched stable commits.

RemediationAI

The primary fix is to upgrade to Linux kernel 6.18.19, 6.19.9, or 7.0, which initialize the file_kattr structure's flags_valid field before calling vfs_fileattr_get(), eliminating the uninitialized read. Upstream fix commits are available at git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1, git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42, and git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055. Distribution-maintained LTS kernels (Debian, Ubuntu, RHEL, etc.) may offer backported patches via standard package managers (apt, dnf, yum) without requiring a major version upgrade - check vendor errata for availability. For systems where immediate kernel upgrade is not feasible, restricting untrusted local user access to FUSE mounts via /etc/fuse.conf (removing the user_allow_other option and ensuring only trusted users can invoke fusermount) reduces the practical attack surface, since the vulnerable code path is only reachable through a FUSE-mounted filesystem. The trade-off is reduced filesystem flexibility for legitimate users relying on FUSE-based tools such as sshfs or gocryptfs.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy