CVE-2026-43067

{"id": "CVE-2026-43067", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-05-05T16:16:15.937", "references": [{"url": "https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n group was populated via stream allocation from s_mb_last_groups),\n then start will be >= ngroups.\n\n Does this allow allocating blocks beyond the 32-bit limit for\n indirect block mapped files? The commit message mentions that\n ext4_mb_scan_groups_linear() takes care to not select unsupported\n groups. However, its loop uses group = *start, and the very first\n iteration will call ext4_mb_scan_group() with this unsupported\n group because next_linear_group() is only called at the end of the\n iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped. To address this, add a safety clamp in\next4_mb_scan_groups()."}], "lastModified": "2026-05-20T23:16:20.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65BC3363-9FA5-4980-B120-042521BD0F34", "versionEndExcluding": "5.16", "versionStartIncluding": "5.15.203"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B71F66A1-26CE-4A17-BBAB-34A1AE897567", "versionEndExcluding": "6.6.134", "versionStartIncluding": "6.6.130"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C8D55175-C5FF-47BC-BC65-A2B06E3021A1", "versionEndExcluding": "6.12.80", "versionStartIncluding": "6.12.77"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEA57E4E-36B0-40D5-98B9-6A50348C9E74", "versionEndExcluding": "6.18.21", "versionStartIncluding": "6.18.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A67B0458-DAE3-4940-BBB2-1A4D263AF27B", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.19.4"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.1.167:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B898A4FB-4E74-40F7-B523-B71FFB681B6D"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}