HOMEVULNERABILITIESCVE-2026-43067
CRITICAL

CVE-2026-43067

Published: May 5, 2026· Updated: May 8, 2026

9.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:6.8th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: handle wraparound when searching for blocks for indirect mapped blocks

Commit 4865c768b563 ("ext4: always allocate blocks only from groups

inode can use") restricts what blocks will be allocated for indirect

block based files to block numbers that fit within 32-bit block

numbers.

However, when using a review bot running on the latest Gemini LLM to

check this commit when backporting into an LTS based kernel, it raised

this concern:

If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal

group was populated via stream allocation from s_mb_last_groups),

then start will be >= ngroups.

Does this allow allocating blocks beyond the 32-bit limit for

indirect block mapped files? The commit message mentions that

ext4_mb_scan_groups_linear() takes care to not select unsupported

groups. However, its loop uses group = *start, and the very first

iteration will call ext4_mb_scan_group() with this unsupported

group because next_linear_group() is only called at the end of the

iteration.

After reviewing the code paths involved and considering the LLM

review, I determined that this can happen when there is a file system

where some files/directories are extent-mapped and others are

indirect-block mapped. To address this, add a safety clamp in

ext4_mb_scan_groups().

NVD Source

Technical Analysis

CVE-2026-43067 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 9.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-43067
CVSS Score9.8 / 10
SeverityCRITICAL
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 5, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43067 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.