HOMEVULNERABILITIESCVE-2026-43158
HIGH

CVE-2026-43158

Published: May 6, 2026· Updated: May 8, 2026

8.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:7.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xfs: fix freemap adjustments when adding xattrs to leaf blocks

xfs/592 and xfs/794 both trip this assertion in the leaf block freemap

adjustment code after ~20 minutes of running on my test VMs:

ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t)

+ xfs_attr3_leaf_hdr_size(leaf));

Upon enabling quite a lot more debugging code, I narrowed this down to

fsstress trying to set a local extended attribute with namelen=3 and

valuelen=71. This results in an entry size of 80 bytes.

At the start of xfs_attr3_leaf_add_work, the freemap looks like this:

i 0 base 448 size 0 rhs 448 count 46

i 1 base 388 size 132 rhs 448 count 46

i 2 base 2120 size 4 rhs 448 count 46

firstused = 520

where "rhs" is the first byte past the end of the leaf entry array.

This is inconsistent -- the entries array ends at byte 448, but

freemap[1] says there's free space starting at byte 388!

By the end of the function, the freemap is in worse shape:

i 0 base 456 size 0 rhs 456 count 47

i 1 base 388 size 52 rhs 456 count 47

i 2 base 2120 size 4 rhs 456 count 47

firstused = 440

Important note: 388 is not aligned with the entries array element size

of 8 bytes.

Based on the incorrect freemap, the name area starts at byte 440, which

is below the end of the entries array! That's why the assertion

triggers and the filesystem shuts down.

How did we end up here? First, recall from the previous patch that the

freemap array in an xattr leaf block is not intended to be a

comprehensive map of all free space in the leaf block. In other words,

it's perfectly legal to have a leaf block with:

* 376 bytes in use by the entries array

* freemap[0] has [base = 376, size = 8]

* freemap[1] has [base = 388, size = 1500]

* the space between 376 and 388 is free, but the freemap stopped

tracking that some time ago

If we add one xattr, the entries array grows to 384 bytes, and

freemap[0] becomes [base = 384, size = 0]. So far, so good. But if we

add a second xattr, the entries array grows to 392 bytes, and freemap[0]

gets pushed up to [base = 392, size = 0]. This is bad, because

freemap[1] hasn't been updated, and now the entries array and the free

space claim the same space.

The fix here is to adjust all freemap entries so that none of them

collide with the entries array. Note that this fix relies on commit

2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and

the previous patch that resets zero length freemap entries to have

base = 0.

NVD Source

Technical Analysis

CVE-2026-43158 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-43158
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43158 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.