Improper control of a resource through its lifetime in Linux kernel - CVE-2026-43158
Published: May 7, 2026
Vulnerability identifier: #VU130580
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43158
CWE-ID: CWE-664
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper state management in the xfs extended attribute leaf block freemap adjustment code when adding extended attributes to leaf blocks. A local user can set a crafted extended attribute to cause a denial of service.
The issue can corrupt free space accounting so that the name area overlaps the end of the entries array, triggering an assertion and shutting down the filesystem.
How to mitigate CVE-2026-43158
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/24ce71852f2cee6581e2cbebc15489ed52bf63b7
- https://git.kernel.org/stable/c/38613c01f69e1e77e6b8acab1e8ac665d01c2f15
- https://git.kernel.org/stable/c/3eefc0c2b78444b64feeb3783c017d6adc3cd3ce
- https://git.kernel.org/stable/c/43f3b18679615a93bd848afde3602ba160637a46
- https://git.kernel.org/stable/c/6a8737afbccc340e718e0b22577312826390be8b
- https://git.kernel.org/stable/c/a396b3d73d51355e50acdb403ba9c4cae4c1174e
- https://git.kernel.org/stable/c/d08976725355b9d54d8332fce223fa281cc304a5
- https://git.kernel.org/stable/c/ef42a8766ff3fdf51cf72fb36d0859c09d134478