HOMEVULNERABILITIESCVE-2026-43187
HIGH

CVE-2026-43187

Published: May 6, 2026· Updated: May 11, 2026

8.8
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:7.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

xfs: delete attr leaf freemap entries when empty

Back in commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size

underflow"), Brian Foster observed that it's possible for a small

freemap at the end of the end of the xattr entries array to experience

a size underflow when subtracting the space consumed by an expansion of

the entries array. There are only three freemap entries, which means

that it is not a complete index of all free space in the leaf block.

This code can leave behind a zero-length freemap entry with a nonzero

base. Subsequent setxattr operations can increase the base up to the

point that it overlaps with another freemap entry. This isn't in and of

itself a problem because the code in _leaf_add that finds free space

ignores any freemap entry with zero size.

However, there's another bug in the freemap update code in _leaf_add,

which is that it fails to update a freemap entry that begins midway

through the xattr entry that was just appended to the array. That can

result in the freemap containing two entries with the same base but

different sizes (0 for the "pushed-up" entry, nonzero for the entry

that's actually tracking free space). A subsequent _leaf_add can then

allocate xattr namevalue entries on top of the entries array, leading to

data loss. But fixing that is for later.

For now, eliminate the possibility of confusion by zeroing out the base

of any freemap entry that has zero size. Because the freemap is not

intended to be a complete index of free space, a subsequent failure to

find any free space for a new xattr will trigger block compaction, which

regenerates the freemap.

It looks like this bug has been in the codebase for quite a long time.

NVD Source

Technical Analysis

CVE-2026-43187 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 2 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (8)

Quick Facts

CVE IDCVE-2026-43187
CVSS Score8.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
Affected1 vendor
PublishedMay 6, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-43187 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.