Description
In the Linux kernel, the following vulnerability has been resolved:

xfs: don't irele after failing to iget in xfs_attri_recover_work

xlog_recovery_iget* never set @ip to a valid pointer if they return
an error, so this irele will walk off a dangling pointer. Fix that.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s XFS file system recovery path causes a release operation to be performed on an uninitialized or dangling pointer when attribute recovery fails to obtain an inode reference. The resulting memory corruption can trigger a kernel crash or panic, potentially disrupting system availability and exposing the machine to further instability. The vulnerability is a classic use‑of‑invalid‑pointer scenario, identified as a memory management issue.

Affected Systems

All Linux kernel releases that include the XFS file system are potentially impacted, as the flaw resides in core XFS module code. No specific version range is listed, so any installation using an unpatched kernel remains at risk until the patch is applied.

Risk and Exploitability

The severity of the flaw is significant because it can lead to a kernel panic, but no CVSS score or EPSS value is publicly available, and it is not catalogued in CISA KEV. The attack vector is unclear from the available data; it could arise during normal filesystem operation, or when a corrupted XFS attribute triggers the recovery path. Exploitation would require the attacker to induce or trigger the fault condition, which may be possible through malicious file system manipulation or during a disk corruption event. Due to the potential for system downtime, administrators should consider this unsafe even in the absence of a public exploit.

Generated by OpenCVE AI on May 5, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that includes the XFS attribute recovery fix or recompile the kernel from a source tree that contains the patch
  • If a patch cannot be applied immediately, consider disabling XFS usage on critical systems or migrating to an alternative filesystem until the kernel is updated
  • Configure system monitoring to alert on kernel oopses or panics, and isolate the affected host to prevent further disruption while remediation is pending

Generated by OpenCVE AI on May 5, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: xfs: don't irele after failing to iget in xfs_attri_recover_work xlog_recovery_iget* never set @ip to a valid pointer if they return an error, so this irele will walk off a dangling pointer. Fix that.
Title xfs: don't irele after failing to iget in xfs_attri_recover_work
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-05T15:23:24.034Z

Reserved: 2026-05-01T14:12:55.981Z

Link: CVE-2026-43063

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T16:16:15.467

Modified: 2026-05-05T16:16:15.467

Link: CVE-2026-43063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T17:45:05Z

Weaknesses