CVE-2026-43153

/* * Conceptual PoC for CVE-2026-43153 * Demonstrating the problematic return logic leading to UAF */ #include <linux/xfs.h> // Hypothetical structure representation struct xfs_buf { void *data; }; // Simulating the vulnerable function behavior struct xfs_buf *xfs_attr_leaf_hasname_vulnerable(...) { struct xfs_buf *bp; int error; // 1. Read the leaf block error = xfs_attr3_leaf_read(..., &bp); if (error) { return NULL; // Correct: read failed, no buffer } // 2. Internal lookup error = xfs_attr3_leaf_lookup_int(bp, ...); if (error == -ENOATTR || error == -EEXIST) { return bp; // Correct: buffer is valid and needed } // 3. Vulnerability Path: Other errors (e.g., -EFSCORRUPTED) xfs_trans_brelse(NULL, bp); // Buffer is released here // BUG: Returning a pointer to a freed buffer return bp; } /* * Exploitation Logic: * An attacker would trigger an XFS attribute operation (e.g., setxattr) * that forces xfs_attr3_leaf_lookup_int to return an error other than * -ENOATTR or -EEXIST. The caller then receives 'bp', assumes it is valid, * and attempts to access it, leading to a Use-After-Free condition. */

{"cve": {"id": "CVE-2026-43153", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:33.073", "lastModified": "2026-05-13T20:11:32.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: remove xfs_attr_leaf_hasname\n\nThe calling convention of xfs_attr_leaf_hasname() is problematic, because\nit returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer\nwhen xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a\nnon-NULL buffer pointer for an already released buffer when\nxfs_attr3_leaf_lookup_int fails with other error values.\n\nFix this by simply open coding xfs_attr_leaf_hasname in the callers, so\nthat the buffer release code is done by each caller of\nxfs_attr3_leaf_read."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.9", "versionEndExcluding": "6.12.75", "matchCriteriaId": "F0FB6DE3-7F78-4DBC-83E3-1ACA0F4DC0E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2fbc8421d1db102c0e5458607e042a23a03648b1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3a65ea768b8094e4699e72f9ab420eb9e0f3f568", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/457121c01f609b9934addbb04d5c1ef638c71c61", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/530082df991903f3330354e99e0cb7b05debfa86", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}