Improper input validation in Linux kernel - CVE-2026-43067
Published: May 6, 2026
Vulnerability identifier: #VU130233
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43067
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in ext4_mb_scan_groups() when searching for blocks for indirect block mapped files. A local user can create or operate on a crafted ext4 file system layout to cause a denial of service.
The issue can occur on file systems where some files or directories are extent-mapped and others are indirect-block mapped.
How to mitigate CVE-2026-43067
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1
- https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503
- https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29
- https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c
- https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f
- https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930