Skip to main content

Linux Kernel EUVDEUVD-2026-27746

| CVE-2026-43187 HIGH
Integer Underflow (CWE-191)
2026-05-06 Linux GHSA-8h5h-g93f-3ff6
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:35 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
8.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 8.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

xfs: delete attr leaf freemap entries when empty

Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow"), Brian Foster observed that it's possible for a small freemap at the end of the end of the xattr entries array to experience a size underflow when subtracting the space consumed by an expansion of the entries array. There are only three freemap entries, which means that it is not a complete index of all free space in the leaf block.

This code can leave behind a zero-length freemap entry with a nonzero base. Subsequent setxattr operations can increase the base up to the point that it overlaps with another freemap entry. This isn't in and of itself a problem because the code in _leaf_add that finds free space ignores any freemap entry with zero size.

However, there's another bug in the freemap update code in _leaf_add, which is that it fails to update a freemap entry that begins midway through the xattr entry that was just appended to the array. That can result in the freemap containing two entries with the same base but different sizes (0 for the "pushed-up" entry, nonzero for the entry that's actually tracking free space). A subsequent _leaf_add can then allocate xattr namevalue entries on top of the entries array, leading to data loss. But fixing that is for later.

For now, eliminate the possibility of confusion by zeroing out the base of any freemap entry that has zero size. Because the freemap is not intended to be a complete index of free space, a subsequent failure to find any free space for a new xattr will trigger block compaction, which regenerates the freemap.

It looks like this bug has been in the codebase for quite a long time.

AnalysisAI

Data loss and memory corruption in Linux kernel XFS filesystem implementation allows authenticated users with ability to set extended attributes to corrupt xattr leaf blocks and overwrite entries array. The vulnerability stems from improper freemap management when xattr entries array expands, leaving zero-length freemap entries with nonzero base values that can overlap with legitimate freemap entries. Subsequent setxattr operations can allocate namevalue entries on top of the entries array, leading to filesystem data loss. EPSS score of 0.02% suggests low widespread exploitation probability, and no active exploitation is confirmed (not in CISA KEV). Patches are vendor-released for stable kernel versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0.

Technical ContextAI

This vulnerability affects the XFS filesystem's extended attribute (xattr) implementation in the Linux kernel, specifically the freemap management logic in xattr leaf blocks. XFS uses a freemap structure with only three entries to track free space in attribute leaf blocks, which is not a complete index of all available space. The bug originates from commit 2a2b5932db6758 which attempted to fix size underflow issues but left a code path that creates zero-length freemap entries with nonzero base offsets when the xattr entries array expands. The subsequent _leaf_add function contains a second bug where it fails to update freemap entries that begin midway through newly appended xattr entries, resulting in duplicate freemap entries with identical base offsets but different sizes. This combination allows the allocator to place namevalue entries on top of the entries array itself, corrupting filesystem metadata. The vulnerability has existed in the codebase since at least kernel 2.6.12 (commit 1da177e4c3f4), indicating a long-standing architectural issue with XFS freemap management. The affected CPE strings confirm impact across Linux kernel versions spanning nearly two decades of development.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.252 or later for 5.10.x branch, 5.15.202+ for 5.15.x, 6.1.165+ for 6.1.x, 6.6.128+ for 6.6.x, 6.12.75+ for 6.12.x, 6.18.16+ for 6.18.x, 6.19.6+ for 6.19.x, or migrate to kernel 7.0 mainline. Distribution-specific updates should be obtained through official package managers (apt, yum, dnf, zypper) which backport security fixes to vendor-supported kernel versions. Fix commits are available at https://git.kernel.org/stable/c/f31a8334e1c54b126fcecf98645a49b6bc5ad399 (mainline) and branch-specific commits listed in references. If immediate patching is not feasible, consider these compensating controls with trade-offs: (1) Disable user-controlled xattr operations on XFS filesystems by mounting with 'noattr' option-this breaks applications and security frameworks (SELinux, capabilities, ACLs) that depend on extended attributes, rendering systems potentially unusable; (2) Migrate critical data from XFS to ext4 or other filesystems-involves significant downtime and operational complexity for production systems; (3) Restrict setxattr system calls via seccomp-bpf or AppArmor profiles for untrusted processes-requires careful profiling to avoid breaking legitimate applications and may not prevent exploitation by compromised privileged processes. Note that workarounds provide limited protection since any authenticated process performing legitimate xattr operations can trigger corruption. Prioritize kernel patching as the only comprehensive mitigation, scheduling updates during planned maintenance windows for affected XFS-based systems.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy