Skip to main content

Linux Kernel EUVDEUVD-2026-28558

| CVE-2026-43288 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-08 Linux GHSA-h57h-m4cv-vwxg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 16:52 vuln.today
CVSS changed
May 15, 2026 - 16:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:02 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ext4: move ext4_percpu_param_init() before ext4_mb_init()

When running kvm-xfstests -c ext4/1k -C 1 generic/383 with the DOUBLE_CHECK macro defined, the following panic is triggered:

============== EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksum BUG: unable to handle page fault for address: ff110000fa2cc000 PGD 3e01067 P4D 3e02067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W 6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none) RIP: 0010:percpu_counter_add_batch+0x13/0xa0 Call Trace: <TASK> ext4_mark_group_bitmap_corrupted+0xcb/0xe0 ext4_validate_block_bitmap+0x2a1/0x2f0 ext4_read_block_bitmap+0x33/0x50 mb_group_bb_bitmap_alloc+0x33/0x80 ext4_mb_add_groupinfo+0x190/0x250 ext4_mb_init_backend+0x87/0x290 ext4_mb_init+0x456/0x640 __ext4_fill_super+0x1072/0x1680 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4f6/0x6b0 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==============

This issue can be reproduced using the following commands: mkfs.ext4 -F -q -b 1024 /dev/sda 5G tune2fs -O quota,project /dev/sda mount /dev/sda /tmp/test

With DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() reads and validates the block bitmap. When the validation fails, ext4_mark_group_bitmap_corrupted() attempts to update sbi->s_freeclusters_counter. However, this percpu_counter has not been initialized yet at this point, which leads to the panic described above.

Fix this by moving the execution of ext4_percpu_param_init() to occur before ext4_mb_init(), ensuring the per-CPU counters are initialized before they are used.

AnalysisAI

Local privilege escalation in Linux kernel ext4 filesystem causes kernel panic during mount operations when DOUBLE_CHECK is enabled. Affects multiple stable kernel versions from 6.6.128 through 7.0. The initialization race condition allows local authenticated users to trigger a denial of service by mounting specially crafted ext4 filesystems with corrupted block bitmaps. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability. Vendor patches available across all affected stable branches.

Technical ContextAI

The vulnerability exists in the ext4 filesystem's multi-block allocator initialization sequence. The ext4_mb_init() function is called before ext4_percpu_param_init(), creating a race condition where per-CPU counters (specifically sbi->s_freeclusters_counter) remain uninitialized. When DOUBLE_CHECK macro is defined, mb_group_bb_bitmap_alloc() performs early block bitmap validation. If validation detects corruption via ext4_validate_block_bitmap(), the error handler ext4_mark_group_bitmap_corrupted() attempts to update the uninitialized percpu_counter, causing a page fault (ff110000fa2cc000) and kernel panic. This represents CWE-908 (Use of Uninitialized Resource) where the kernel dereferences memory structures before proper initialization. The issue affects ext4 filesystems with specific features enabled (quota, project) and 1024-byte block sizes, though the underlying race condition exists regardless of these parameters.

RemediationAI

Apply vendor-supplied patches immediately for affected kernel versions. Upgrade to Linux kernel 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0 or later depending on your stable branch. Patches are available via kernel.org stable tree: commit 0d5fcb063cdabb9aeaa8554b7fedad2092c4150e (6.6 branch), 9e9fb259bcddf459a0168f4a964e979e500a68a5 (6.12 branch), bf5b609524497c195f801cd5707252384aed8149 (6.18 branch), aec095f3cc6cf209effd93278ce35be27db81d73 (6.19 branch), and 270564513489d98b721a1e4a10017978d5213bff (mainline). The fix moves ext4_percpu_param_init() execution before ext4_mb_init() to ensure proper initialization order. For systems unable to patch immediately, implement compensating controls: restrict mount capabilities to trusted users only via mount namespace isolation or removing CAP_SYS_ADMIN from unprivileged users, disable user-controlled filesystem mounting by removing 'user' mount options from /etc/fstab, and implement mandatory filesystem integrity checking on all ext4 images before mounting. Note that restricting mount permissions may break legitimate container or user workspace functionality. Verify patches through regression testing as initialization order changes can affect filesystem performance characteristics.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28558 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy