CVE-2026-43053 (GCVE-0-2026-43053)

Vulnerability from cvelistv5 – Published: 2026-05-01 14:15 – Updated: 2026-05-01 14:15
VLAI?
Title
xfs: close crash window in attr dabtree inactivation
Summary
In the Linux kernel, the following vulnerability has been resolved: xfs: close crash window in attr dabtree inactivation When inactivating an inode with node-format extended attributes, xfs_attr3_node_inactive() invalidates all child leaf/node blocks via xfs_trans_binval(), but intentionally does not remove the corresponding entries from their parent node blocks. The implicit assumption is that xfs_attr_inactive() will truncate the entire attr fork to zero extents afterwards, so log recovery will never reach the root node and follow those stale pointers. However, if a log shutdown occurs after the leaf/node block cancellations commit but before the attr bmap truncation commits, this assumption breaks. Recovery replays the attr bmap intact (the inode still has attr fork extents), but suppresses replay of all cancelled leaf/node blocks, maybe leaving them as stale data on disk. On the next mount, xlog_recover_process_iunlinks() retries inactivation and attempts to read the root node via the attr bmap. If the root node was not replayed, reading the unreplayed root block triggers a metadata verification failure immediately; if it was replayed, following its child pointers to unreplayed child blocks triggers the same failure: XFS (pmem0): Metadata corruption detected at xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78 XFS (pmem0): Unmount and run xfs_repair XFS (pmem0): First 128 bytes of corrupted metadata buffer: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ XFS (pmem0): metadata I/O error in "xfs_da_read_buf+0x104/0x190" at daddr 0x78 len 8 error 117 Fix this in two places: In xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a child block, immediately remove the entry that references it from the parent node in the same transaction. This eliminates the window where the parent holds a pointer to a cancelled block. Once all children are removed, the now-empty root node is converted to a leaf block within the same transaction. This node-to-leaf conversion is necessary for crash safety. If the system shutdown after the empty node is written to the log but before the second-phase bmap truncation commits, log recovery will attempt to verify the root block on disk. xfs_da3_node_verify() does not permit a node block with count == 0; such a block will fail verification and trigger a metadata corruption shutdown. on the other hand, leaf blocks are allowed to have this transient state. In xfs_attr_inactive(), split the attr fork truncation into two explicit phases. First, truncate all extents beyond the root block (the child extents whose parent references have already been removed above). Second, invalidate the root block and truncate the attr bmap to zero in a single transaction. The two operations in the second phase must be atomic: as long as the attr bmap has any non-zero length, recovery can follow it to the root block, so the root block invalidation must commit together with the bmap-to-zero truncation.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e5a3e3cdd9b3015ae79456c81beebfdbb5246c0f (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b854e1c4eff3473b6d3a9ae74129ac5c48bc0b61 (git)
Create a notification for this product.
    Linux Linux Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 6.19.12 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/xfs_attr_inactive.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e5a3e3cdd9b3015ae79456c81beebfdbb5246c0f",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b854e1c4eff3473b6d3a9ae74129ac5c48bc0b61",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/xfs/xfs_attr_inactive.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.12",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: close crash window in attr dabtree inactivation\n\nWhen inactivating an inode with node-format extended attributes,\nxfs_attr3_node_inactive() invalidates all child leaf/node blocks via\nxfs_trans_binval(), but intentionally does not remove the corresponding\nentries from their parent node blocks.  The implicit assumption is that\nxfs_attr_inactive() will truncate the entire attr fork to zero extents\nafterwards, so log recovery will never reach the root node and follow\nthose stale pointers.\n\nHowever, if a log shutdown occurs after the leaf/node block cancellations\ncommit but before the attr bmap truncation commits, this assumption\nbreaks.  Recovery replays the attr bmap intact (the inode still has\nattr fork extents), but suppresses replay of all cancelled leaf/node\nblocks, maybe leaving them as stale data on disk.  On the next mount,\nxlog_recover_process_iunlinks() retries inactivation and attempts to\nread the root node via the attr bmap. If the root node was not replayed,\nreading the unreplayed root block triggers a metadata verification\nfailure immediately; if it was replayed, following its child pointers\nto unreplayed child blocks triggers the same failure:\n\n XFS (pmem0): Metadata corruption detected at\n xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78\n XFS (pmem0): Unmount and run xfs_repair\n XFS (pmem0): First 128 bytes of corrupted metadata buffer:\n 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n XFS (pmem0): metadata I/O error in \"xfs_da_read_buf+0x104/0x190\" at daddr 0x78 len 8 error 117\n\nFix this in two places:\n\nIn xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a\nchild block, immediately remove the entry that references it from the\nparent node in the same transaction.  This eliminates the window where\nthe parent holds a pointer to a cancelled block.  Once all children are\nremoved, the now-empty root node is converted to a leaf block within the\nsame transaction. This node-to-leaf conversion is necessary for crash\nsafety. If the system shutdown after the empty node is written to the\nlog but before the second-phase bmap truncation commits, log recovery\nwill attempt to verify the root block on disk. xfs_da3_node_verify()\ndoes not permit a node block with count == 0; such a block will fail\nverification and trigger a metadata corruption shutdown. on the other\nhand, leaf blocks are allowed to have this transient state.\n\nIn xfs_attr_inactive(), split the attr fork truncation into two explicit\nphases.  First, truncate all extents beyond the root block (the child\nextents whose parent references have already been removed above).\nSecond, invalidate the root block and truncate the attr bmap to zero in\na single transaction.  The two operations in the second phase must be\natomic: as long as the attr bmap has any non-zero length, recovery can\nfollow it to the root block, so the root block invalidation must commit\ntogether with the bmap-to-zero truncation."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-01T14:15:46.709Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e5a3e3cdd9b3015ae79456c81beebfdbb5246c0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b854e1c4eff3473b6d3a9ae74129ac5c48bc0b61"
        }
      ],
      "title": "xfs: close crash window in attr dabtree inactivation",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43053",
    "datePublished": "2026-05-01T14:15:46.709Z",
    "dateReserved": "2026-05-01T14:12:55.980Z",
    "dateUpdated": "2026-05-01T14:15:46.709Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43053",
      "date": "2026-05-05",
      "epss": "0.00018",
      "percentile": "0.04977"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43053\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-01T15:16:51.777\",\"lastModified\":\"2026-05-01T15:24:14.893\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxfs: close crash window in attr dabtree inactivation\\n\\nWhen inactivating an inode with node-format extended attributes,\\nxfs_attr3_node_inactive() invalidates all child leaf/node blocks via\\nxfs_trans_binval(), but intentionally does not remove the corresponding\\nentries from their parent node blocks.  The implicit assumption is that\\nxfs_attr_inactive() will truncate the entire attr fork to zero extents\\nafterwards, so log recovery will never reach the root node and follow\\nthose stale pointers.\\n\\nHowever, if a log shutdown occurs after the leaf/node block cancellations\\ncommit but before the attr bmap truncation commits, this assumption\\nbreaks.  Recovery replays the attr bmap intact (the inode still has\\nattr fork extents), but suppresses replay of all cancelled leaf/node\\nblocks, maybe leaving them as stale data on disk.  On the next mount,\\nxlog_recover_process_iunlinks() retries inactivation and attempts to\\nread the root node via the attr bmap. If the root node was not replayed,\\nreading the unreplayed root block triggers a metadata verification\\nfailure immediately; if it was replayed, following its child pointers\\nto unreplayed child blocks triggers the same failure:\\n\\n XFS (pmem0): Metadata corruption detected at\\n xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78\\n XFS (pmem0): Unmount and run xfs_repair\\n XFS (pmem0): First 128 bytes of corrupted metadata buffer:\\n 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\\n 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\\n 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\\n 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\\n 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\\n 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\\n 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\\n 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\\n XFS (pmem0): metadata I/O error in \\\"xfs_da_read_buf+0x104/0x190\\\" at daddr 0x78 len 8 error 117\\n\\nFix this in two places:\\n\\nIn xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a\\nchild block, immediately remove the entry that references it from the\\nparent node in the same transaction.  This eliminates the window where\\nthe parent holds a pointer to a cancelled block.  Once all children are\\nremoved, the now-empty root node is converted to a leaf block within the\\nsame transaction. This node-to-leaf conversion is necessary for crash\\nsafety. If the system shutdown after the empty node is written to the\\nlog but before the second-phase bmap truncation commits, log recovery\\nwill attempt to verify the root block on disk. xfs_da3_node_verify()\\ndoes not permit a node block with count == 0; such a block will fail\\nverification and trigger a metadata corruption shutdown. on the other\\nhand, leaf blocks are allowed to have this transient state.\\n\\nIn xfs_attr_inactive(), split the attr fork truncation into two explicit\\nphases.  First, truncate all extents beyond the root block (the child\\nextents whose parent references have already been removed above).\\nSecond, invalidate the root block and truncate the attr bmap to zero in\\na single transaction.  The two operations in the second phase must be\\natomic: as long as the attr bmap has any non-zero length, recovery can\\nfollow it to the root block, so the root block invalidation must commit\\ntogether with the bmap-to-zero truncation.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/b854e1c4eff3473b6d3a9ae74129ac5c48bc0b61\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e5a3e3cdd9b3015ae79456c81beebfdbb5246c0f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.