Skip to main content

Linux Kernel XFS EUVDEUVD-2026-27712

| CVE-2026-43153 HIGH
2026-05-06 Linux GHSA-j9jf-6fw4-2v2v
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:31 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfs: remove xfs_attr_leaf_hasname

The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values.

Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read.

AnalysisAI

A use-after-free flaw in the Linux kernel XFS filesystem's xfs_attr_leaf_hasname() function allows local authenticated attackers to potentially execute arbitrary code with kernel privileges or cause denial of service. The function's problematic calling convention can return a pointer to an already-released buffer when xfs_attr3_leaf_lookup_int fails with specific error codes, creating a memory safety issue. Despite a CVSS score of 7.8, EPSS indicates only 0.02% probability of exploitation (5th percentile), suggesting low real-world targeting. Vendor patches are available across multiple stable kernel versions (6.12.75, 6.18.16, 6.19.6, 7.0), and the fix has been committed upstream.

Technical ContextAI

This vulnerability exists in the XFS filesystem's extended attribute handling code, specifically in the xfs_attr_leaf_hasname() helper function within the Linux kernel. XFS extended attributes store metadata about files and directories in leaf nodes. The problematic function has inconsistent buffer management behavior: it returns NULL when xfs_attr3_leaf_read() fails, returns a valid buffer on -ENOATTR or -EEXIST from xfs_attr3_leaf_lookup_int(), but critically returns a dangling pointer to freed memory when xfs_attr3_leaf_lookup_int() fails with other error codes. This creates a use-after-free condition where callers may attempt to access already-deallocated buffer memory. The CPE data identifies this affecting the core Linux kernel package (cpe:2.3:a:linux:linux). The fix involves removing the problematic abstraction and open-coding the logic in callers to ensure each caller properly manages buffer lifecycle after xfs_attr3_leaf_read().

RemediationAI

Organizations should upgrade to patched Linux kernel versions: 6.12.75, 6.18.16, 6.19.6, or 7.0 depending on their stable branch. Distribution-specific kernel updates should be applied through normal package management channels (apt, yum, dnf) as vendors backport the fix. The upstream patches are available at git.kernel.org stable tree commits referenced in NVD. If immediate patching is not feasible, consider these compensating controls with their trade-offs: disable XFS filesystem usage and migrate data to ext4 or another filesystem (significant operational disruption and data migration risk), restrict local shell access to only trusted administrative accounts through PAM configuration and disable user account creation (reduces attack surface but may break legitimate workflows requiring local access), or implement kernel lockdown mode with module signing enforcement to prevent exploitation attempts that rely on loading malicious kernel modules (may break compatibility with some third-party drivers). Note that workarounds only reduce attack surface - they do not eliminate the kernel vulnerability. The memory safety fix requires kernel patching. After applying updates, reboot systems to load the patched kernel. Verify running kernel version with uname -r command.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27712 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy