HOMEVULNERABILITIESCVE-2026-43053
MEDIUM

CVE-2026-43053

Published: May 1, 2026· Updated: May 7, 2026

4.7
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xfs: close crash window in attr dabtree inactivation

When inactivating an inode with node-format extended attributes,

xfs_attr3_node_inactive() invalidates all child leaf/node blocks via

xfs_trans_binval(), but intentionally does not remove the corresponding

entries from their parent node blocks. The implicit assumption is that

xfs_attr_inactive() will truncate the entire attr fork to zero extents

afterwards, so log recovery will never reach the root node and follow

those stale pointers.

However, if a log shutdown occurs after the leaf/node block cancellations

commit but before the attr bmap truncation commits, this assumption

breaks. Recovery replays the attr bmap intact (the inode still has

attr fork extents), but suppresses replay of all cancelled leaf/node

blocks, maybe leaving them as stale data on disk. On the next mount,

xlog_recover_process_iunlinks() retries inactivation and attempts to

read the root node via the attr bmap. If the root node was not replayed,

reading the unreplayed root block triggers a metadata verification

failure immediately; if it was replayed, following its child pointers

to unreplayed child blocks triggers the same failure:

XFS (pmem0): Metadata corruption detected at

xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78

XFS (pmem0): Unmount and run xfs_repair

XFS (pmem0): First 128 bytes of corrupted metadata buffer:

00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

XFS (pmem0): metadata I/O error in "xfs_da_read_buf+0x104/0x190" at daddr 0x78 len 8 error 117

Fix this in two places:

In xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a

child block, immediately remove the entry that references it from the

parent node in the same transaction. This eliminates the window where

the parent holds a pointer to a cancelled block. Once all children are

removed, the now-empty root node is converted to a leaf block within the

same transaction. This node-to-leaf conversion is necessary for crash

safety. If the system shutdown after the empty node is written to the

log but before the second-phase bmap truncation commits, log recovery

will attempt to verify the root block on disk. xfs_da3_node_verify()

does not permit a node block with count == 0; such a block will fail

verification and trigger a metadata corruption shutdown. on the other

hand, leaf blocks are allowed to have this transient state.

In xfs_attr_inactive(), split the attr fork truncation into two explicit

phases. First, truncate all extents beyond the root block (the child

extents whose parent references have already been removed above).

Second, invalidate the root block and truncate the attr bmap to zero in

a single transaction. The two operations in the second phase must be

atomic: as long as the attr bmap has any non-zero length, recovery can

follow it to the root block, so the root block invalidation must commit

together with the bmap-to-zero truncation.

NVD Source

Technical Analysis

CVE-2026-43053 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 4.7.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityHigh
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (2)

Quick Facts

CVE IDCVE-2026-43053
CVSS Score4.7 / 10
SeverityMEDIUM
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 1, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43053 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.