CVE-2026-43288
Received Received - Intake
ext4 Block Bitmap Corruption Due to Uninitialized Percpu Counters

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ext4: move ext4_percpu_param_init() before ext4_mb_init() When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the `DOUBLE_CHECK` macro defined, the following panic is triggered: ================================================================== EXT4-fs error (device vdc): ext4_validate_block_bitmap:423: comm mount: bg 0: bad block bitmap checksum BUG: unable to handle page fault for address: ff110000fa2cc000 PGD 3e01067 P4D 3e02067 PUD 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W 6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none) RIP: 0010:percpu_counter_add_batch+0x13/0xa0 Call Trace: <TASK> ext4_mark_group_bitmap_corrupted+0xcb/0xe0 ext4_validate_block_bitmap+0x2a1/0x2f0 ext4_read_block_bitmap+0x33/0x50 mb_group_bb_bitmap_alloc+0x33/0x80 ext4_mb_add_groupinfo+0x190/0x250 ext4_mb_init_backend+0x87/0x290 ext4_mb_init+0x456/0x640 __ext4_fill_super+0x1072/0x1680 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4f6/0x6b0 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== This issue can be reproduced using the following commands: mkfs.ext4 -F -q -b 1024 /dev/sda 5G tune2fs -O quota,project /dev/sda mount /dev/sda /tmp/test With DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() reads and validates the block bitmap. When the validation fails, ext4_mark_group_bitmap_corrupted() attempts to update sbi->s_freeclusters_counter. However, this percpu_counter has not been initialized yet at this point, which leads to the panic described above. Fix this by moving the execution of ext4_percpu_param_init() to occur before ext4_mb_init(), ensuring the per-CPU counters are initialized before they are used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43288
EUVD
EUVD-2026-28558
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 6.18.0-gba65a4e7120a-dirty
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's ext4 filesystem code. Specifically, it involves the order of initialization of per-CPU counters used during block bitmap validation. When running certain tests with the DOUBLE_CHECK macro defined, a panic is triggered because a per-CPU counter (s_freeclusters_counter) is accessed before it has been initialized. This happens because ext4_percpu_param_init() is called after ext4_mb_init(), but it needs to be called before to properly initialize these counters. The issue leads to a kernel panic during block bitmap validation.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to panic and crash when mounting or working with ext4 filesystems under certain conditions. The panic occurs due to an uninitialized per-CPU counter being accessed, which can lead to system instability or downtime. This could disrupt normal operations, cause data access interruptions, and require system reboots to recover.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to reproduce the panic condition described in the CVE. Specifically, running the following commands can trigger the issue if the system is vulnerable:

  • mkfs.ext4 -F -q -b 1024 /dev/sda 5G
  • tune2fs -O quota,project /dev/sda
  • mount /dev/sda /tmp/test

When the DOUBLE_CHECK macro is defined and these commands are run, a panic related to ext4 block bitmap checksum errors and percpu_counter initialization failure may occur, indicating the presence of the vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring that the ext4_percpu_param_init() function is executed before ext4_mb_init(), which initializes the per-CPU counters before they are used.

Immediate mitigation steps include updating the Linux kernel to a version where this fix has been applied, as the issue arises from improper initialization order in the ext4 filesystem code.

Until the kernel is updated, avoid running workloads or tests that trigger the ext4 block bitmap validation with the DOUBLE_CHECK macro enabled, as this can cause system panics.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart