{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43067", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.981Z", "datePublished": "2026-05-05T15:23:26.717Z", "dateUpdated": "2026-05-11T22:17:04.744Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:17:04.744Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n group was populated via stream allocation from s_mb_last_groups),\n then start will be >= ngroups.\n\n Does this allow allocating blocks beyond the 32-bit limit for\n indirect block mapped files? The commit message mentions that\n ext4_mb_scan_groups_linear() takes care to not select unsupported\n groups. However, its loop uses group = *start, and the very first\n iteration will call ext4_mb_scan_group() with this unsupported\n group because next_linear_group() is only called at the end of the\n iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped. To address this, add a safety clamp in\next4_mb_scan_groups()."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/mballoc.c"], "versions": [{"version": "9d89b9d55e25cb340c5b4b769876edc551b7a9ff", "lessThan": "f89bba144938921a2249237ad04a0183ff3f8930", "status": "affected", "versionType": "git"}, {"version": "1b0edd6022a3f44ce87fea9959a9310f4628fbea", "lessThan": "83170a05908b6cf2fb3235d3065bf613ff866f3c", "status": "affected", "versionType": "git"}, {"version": "9eea2f57d11b30049ff996ac3eff6e0dc8089e5f", "lessThan": "4bec4a498ce86314d470ae6144120461f2138c29", "status": "affected", "versionType": "git"}, {"version": "34c803edc0b3365a42efcf9815acab63b4cf54e0", "lessThan": "12624c5b724a81e14e532972b40d863b0de3b7d1", "status": "affected", "versionType": "git"}, {"version": "321ed8d559c951e71ad2d2d69a4cf0445644e865", "lessThan": "2a368ccddfc492a0aa951e2caef2985f20e96503", "status": "affected", "versionType": "git"}, {"version": "4865c768b563deff1b6a6384e74a62f143427b42", "lessThan": "bb81702370fad22c06ca12b6e1648754dbc37e0f", "status": "affected", "versionType": "git"}, {"version": "16fce6b6c0b247258c6c217fce5a48abf50f6964", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/ext4/mballoc.c"], "versions": [{"version": "6.1.167", "lessThan": "6.1.168", "status": "affected", "versionType": "semver"}, {"version": "6.6.130", "lessThan": "6.6.134", "status": "affected", "versionType": "semver"}, {"version": "6.12.77", "lessThan": "6.12.80", "status": "affected", "versionType": "semver"}, {"version": "6.18.14", "lessThan": "6.18.21", "status": "affected", "versionType": "semver"}, {"version": "6.19.4", "lessThan": "6.19.11", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.167", "versionEndExcluding": "6.1.168"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.130", "versionEndExcluding": "6.6.134"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.77", "versionEndExcluding": "6.12.80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.14", "versionEndExcluding": "6.18.21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.4", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15.203"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930"}, {"url": "https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c"}, {"url": "https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29"}, {"url": "https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1"}, {"url": "https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503"}, {"url": "https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f"}], "title": "ext4: handle wraparound when searching for blocks for indirect mapped blocks", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n group was populated via stream allocation from s_mb_last_groups),\n then start will be >= ngroups.\n\n Does this allow allocating blocks beyond the 32-bit limit for\n indirect block mapped files? The commit message mentions that\n ext4_mb_scan_groups_linear() takes care to not select unsupported\n groups. However, its loop uses group = *start, and the very first\n iteration will call ext4_mb_scan_group() with this unsupported\n group because next_linear_group() is only called at the end of the\n iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped. To address this, add a safety clamp in\next4_mb_scan_groups()."}], "id": "CVE-2026-43067", "lastModified": "2026-05-08T13:16:37.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-05-05T16:16:15.937", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ext4: handle wraparound when searching for blocks for indirect mapped blocks", "id": "2466815", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466815"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in the ext4 filesystem within the Linux kernel. This vulnerability involves an issue where the system incorrectly handles block allocation for indirect mapped files, potentially allowing blocks to be allocated beyond their defined 32-bit limit. This could lead to data corruption or system instability."], "name": "CVE-2026-43067", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43067\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43067\nhttps://lore.kernel.org/linux-cve-announce/2026050532-CVE-2026-43067-7366@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9d89b9d55e25cb340c5b4b769876edc551b7a9ff,f89bba144938921a2249237ad04a0183ff3f8930)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1b0edd6022a3f44ce87fea9959a9310f4628fbea,83170a05908b6cf2fb3235d3065bf613ff866f3c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[9eea2f57d11b30049ff996ac3eff6e0dc8089e5f,4bec4a498ce86314d470ae6144120461f2138c29)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[34c803edc0b3365a42efcf9815acab63b4cf54e0,12624c5b724a81e14e532972b40d863b0de3b7d1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[321ed8d559c951e71ad2d2d69a4cf0445644e865,2a368ccddfc492a0aa951e2caef2985f20e96503)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[4865c768b563deff1b6a6384e74a62f143427b42,bb81702370fad22c06ca12b6e1648754dbc37e0f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[16fce6b6c0b247258c6c217fce5a48abf50f6964,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.1.167,6.1.168)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.6.130,6.6.134)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.12.77,6.12.80)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.18.14,6.18.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.19.4,6.19.11)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-05T18:00:12.708089+00:00", "updated": "2026-05-08T15:30:05.405765+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}