CVE-2026-43187
Awaiting Analysis Awaiting Analysis - Queue
XFS Filesystem Attribute Leaf Freemap Corruption

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: xfs: delete attr leaf freemap entries when empty Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow"), Brian Foster observed that it's possible for a small freemap at the end of the end of the xattr entries array to experience a size underflow when subtracting the space consumed by an expansion of the entries array. There are only three freemap entries, which means that it is not a complete index of all free space in the leaf block. This code can leave behind a zero-length freemap entry with a nonzero base. Subsequent setxattr operations can increase the base up to the point that it overlaps with another freemap entry. This isn't in and of itself a problem because the code in _leaf_add that finds free space ignores any freemap entry with zero size. However, there's another bug in the freemap update code in _leaf_add, which is that it fails to update a freemap entry that begins midway through the xattr entry that was just appended to the array. That can result in the freemap containing two entries with the same base but different sizes (0 for the "pushed-up" entry, nonzero for the entry that's actually tracking free space). A subsequent _leaf_add can then allocate xattr namevalue entries on top of the entries array, leading to data loss. But fixing that is for later. For now, eliminate the possibility of confusion by zeroing out the base of any freemap entry that has zero size. Because the freemap is not intended to be a complete index of free space, a subsequent failure to find any free space for a new xattr will trigger block compaction, which regenerates the freemap. It looks like this bug has been in the codebase for quite a long time.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-07
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43187
EUVD
EUVD-2026-27746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel xfs *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's XFS filesystem code related to extended attributes (xattr). Specifically, it involves the handling of freemap entries in the attribute leaf block. A freemap is used to track free space within the leaf block, but due to a bug, zero-length freemap entries with nonzero base values can be left behind.

When new xattr entries are added, the code can fail to properly update these freemap entries, causing overlapping entries with the same base but different sizes. This can lead to allocation of new xattr entries on top of existing ones, potentially causing data loss.

The fix involves zeroing out the base of any freemap entry that has zero size to prevent confusion and ensure proper free space tracking.


How can this vulnerability impact me? :

This vulnerability can lead to data loss because the filesystem may allocate new extended attribute entries on top of existing ones due to incorrect free space tracking.

Such data corruption can affect the integrity of file metadata stored in extended attributes, potentially causing system instability or loss of important file information.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by eliminating the possibility of confusion caused by zero-length freemap entries with nonzero bases in the xfs attribute leaf freemap.

Immediate mitigation involves updating the Linux kernel to a version that includes the fix for this issue, which zeroes out the base of any freemap entry that has zero size.

Because the freemap is not a complete index of free space, if a failure to find free space occurs, block compaction will be triggered to regenerate the freemap, preventing data loss.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart