CVE-2026-43067
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Linux Kernel ext4 Filesystem

Publication date: 2026-05-05

Last updated on: 2026-05-20

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ext4: handle wraparound when searching for blocks for indirect mapped blocks Commit 4865c768b563 ("ext4: always allocate blocks only from groups inode can use") restricts what blocks will be allocated for indirect block based files to block numbers that fit within 32-bit block numbers. However, when using a review bot running on the latest Gemini LLM to check this commit when backporting into an LTS based kernel, it raised this concern: If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal group was populated via stream allocation from s_mb_last_groups), then start will be >= ngroups. Does this allow allocating blocks beyond the 32-bit limit for indirect block mapped files? The commit message mentions that ext4_mb_scan_groups_linear() takes care to not select unsupported groups. However, its loop uses group = *start, and the very first iteration will call ext4_mb_scan_group() with this unsupported group because next_linear_group() is only called at the end of the iteration. After reviewing the code paths involved and considering the LLM review, I determined that this can happen when there is a file system where some files/directories are extent-mapped and others are indirect-block mapped. To address this, add a safety clamp in ext4_mb_scan_groups().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-20
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43067
EUVD
EUVD-2026-27368
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.1.167
linux linux_kernel From 6.18.14 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19.4 (inc) to 6.19.11 (exc)
linux linux_kernel From 5.15.203 (inc) to 5.16 (exc)
linux linux_kernel From 6.12.77 (inc) to 6.12.80 (exc)
linux linux_kernel From 6.6.130 (inc) to 6.6.134 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ext4 filesystem. It relates to how the system allocates blocks for files that use indirect block mapping. A recent commit aimed to restrict block allocation to 32-bit block numbers to prevent wraparound issues. However, a review identified a scenario where the allocation process might still select unsupported block groups, potentially allowing allocation beyond the 32-bit limit. This can occur in filesystems where some files or directories use extent mapping while others use indirect block mapping. The issue was addressed by adding a safety clamp in the block group scanning function to prevent this improper allocation.

Impact Analysis

The vulnerability could lead to improper block allocation beyond the intended 32-bit block number limit in ext4 filesystems. This might cause filesystem corruption or data integrity issues, especially in mixed mapping scenarios where some files use extent mapping and others use indirect block mapping. Such corruption could result in data loss or system instability.

Mitigation Strategies

The vulnerability has been resolved by adding a safety clamp in the ext4_mb_scan_groups() function to prevent allocation of blocks beyond the 32-bit limit for indirect block mapped files.

To mitigate this vulnerability, you should update your Linux kernel to a version that includes the fix from commit 4865c768b563 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43067. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart