CVE-2026-43068 - Vulnerability Details

- ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()

Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()

There's issue as follows:
...
EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost

EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost

EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost

EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost

EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost

EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117
EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost

EXT4-fs (mmcblk0p1): error count since last fsck: 1
EXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760
EXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760
...

According to the log analysis, blocks are always requested from the
corrupted block group. This may happen as follows:
ext4_mb_find_by_goal
ext4_mb_load_buddy
ext4_mb_load_buddy_gfp
ext4_mb_init_cache
ext4_read_block_bitmap_nowait
ext4_wait_block_bitmap
ext4_validate_block_bitmap
if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
return -EFSCORRUPTED; // There's no logs.
if (err)
return err; // Will return error
ext4_lock_group(ac->ac_sb, group);
if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable
goto out;

After commit 9008a58e5dce ("ext4: make the bitmap read routines return
real error codes") merged, Commit 163a203ddb36 ("ext4: mark block group
as corrupt on block bitmap error") is no real solution for allocating
blocks from corrupted block groups. This is because if
'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then
'ext4_mb_load_buddy()' may return an error. This means that the block
allocation will fail.
Therefore, check block group if corrupted when ext4_mb_load_buddy()
returns error.

Published: 2026-05-05

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is in the ext4 filesystem’s block allocation routine. When a block group bitmap is corrupted, the allocation path may mistakenly request blocks from that group, causing delayed block allocation failures as indicated by the kernel logs. The kernel logs include repeated messages stating "Data will be lost", showing that an inconsistent filesystem state may lead to loss of file data. The weakness is a race condition in the block allocation path (CWE-237), and the analysis also identified potential memory‑leak issues (CWE-401).

Affected Systems

All Linux kernel versions that incorporate the ext4 filesystem and have not yet integrated the fixes in commits 9008a58e5dce and 163a203ddb36 are potentially affected. No specific kernel releases are enumerated; therefore, any system running a Linux kernel where ext4 code unmodified by those commits might be vulnerable.

Risk and Exploitability

The CVSS score of 5.5 is reported, while the EPSS score remains under 1%, indicating a low but non‑zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The risk manifests when a block group bitmap becomes corrupted, leading to possible data loss. There is no documented remote exploitation path; the threat vector would likely require an adversary that can induce or discover filesystem corruption, perhaps through hardware failure or local tampering.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`163a203ddb36c36d4a1c942aececda0cc8d06aa7`	affected	< fea6b2e250ff48f10d166011b57a8516ae5438c9
`163a203ddb36c36d4a1c942aececda0cc8d06aa7`	affected	< 0b84571c886719823d537f05f4f07cad6357c4b7
`163a203ddb36c36d4a1c942aececda0cc8d06aa7`	affected	< ffc0a282462d45fee5957621be5afa29752f3b6d
`163a203ddb36c36d4a1c942aececda0cc8d06aa7`	affected	< 2d31a5073f86a177edf44015e0dedb0c47cfd6d8
`163a203ddb36c36d4a1c942aececda0cc8d06aa7`	affected	< 9370207b36d26e45a8c8ef0500706d37036edd6b
`163a203ddb36c36d4a1c942aececda0cc8d06aa7`	affected	< 1895f7904be71c48f1e6f338b28f24dabd6b8aeb
`163a203ddb36c36d4a1c942aececda0cc8d06aa7`	affected	< 1c0d7c4cde38a887c6d74e0c89ddb25226943c78
`163a203ddb36c36d4a1c942aececda0cc8d06aa7`	affected	< 46066e3a06647c5b186cc6334409722622d05c44

Linux

affected

Version	Status	Constraints
`3.12`	affected	—
`0`	unaffected	< 3.12
`5.10.253`	unaffected	≤ 5.10.*
`5.15.203`	unaffected	≤ 5.15.*
`6.1.168`	unaffected	≤ 6.1.*
`6.6.131`	unaffected	≤ 6.6.*
`6.12.80`	unaffected	≤ 6.12.*
`6.18.21`	unaffected	≤ 6.18.*
`6.19.11`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[163a203ddb36c36d4a1c942aececda0cc8d06aa7,fea6b2e250ff48f10d166011b57a8516ae5438c9)`	affected	code_commit	—
`[163a203ddb36c36d4a1c942aececda0cc8d06aa7,0b84571c886719823d537f05f4f07cad6357c4b7)`	affected	code_commit	—
`[163a203ddb36c36d4a1c942aececda0cc8d06aa7,9370207b36d26e45a8c8ef0500706d37036edd6b)`	affected	code_commit	—
`[163a203ddb36c36d4a1c942aececda0cc8d06aa7,1895f7904be71c48f1e6f338b28f24dabd6b8aeb)`	affected	code_commit	—
`[163a203ddb36c36d4a1c942aececda0cc8d06aa7,1c0d7c4cde38a887c6d74e0c89ddb25226943c78)`	affected	code_commit	—
`[163a203ddb36c36d4a1c942aececda0cc8d06aa7,46066e3a06647c5b186cc6334409722622d05c44)`	affected	code_commit	—
`[163a203ddb36c36d4a1c942aececda0cc8d06aa7,2d31a5073f86a177edf44015e0dedb0c47cfd6d8)`	affected	code_commit	—
`[163a203ddb36c36d4a1c942aececda0cc8d06aa7,ffc0a282462d45fee5957621be5afa29752f3b6d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.12`	affected	generic	—
`[0,3.12)`	unaffected	generic	—
`[5.10.253,5.11.0)`	unaffected	semver	—
`[5.15.203,5.16.0)`	unaffected	semver	—
`[6.1.168,6.2.0)`	unaffected	semver	—
`[6.6.131,6.7.0)`	unaffected	semver	—
`[6.12.80,6.13.0)`	unaffected	semver	—
`[6.18.21,6.19.0)`	unaffected	semver	—
`[6.19.11,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes commits 9008a58e5dce and 163a203ddb36, which fix the block‑allocation path for corrupted groups.
Run fsck.ext4 (or e2fsck –f) on each ext4 filesystem to detect and correct corrupted block groups.
Monitor system logs for "Delayed block allocation failed" messages and perform filesystem repair or migration when such events occur.

Generated by OpenCVE AI on May 21, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0b84571c886719823d537f05f4f07cad6357c4b7
https://git.kernel.org/stable/c/1895f7904be71c48f1e6f338b28f24dabd6b8aeb
https://git.kernel.org/stable/c/1c0d7c4cde38a887c6d74e0c89ddb25226943c78
https://git.kernel.org/stable/c/2d31a5073f86a177edf44015e0dedb0c47cfd6d8
https://git.kernel.org/stable/c/46066e3a06647c5b186cc6334409722622d05c44
https://git.kernel.org/stable/c/9370207b36d26e45a8c8ef0500706d37036edd6b
https://git.kernel.org/stable/c/fea6b2e250ff48f10d166011b57a8516ae5438c9
https://git.kernel.org/stable/c/ffc0a282462d45fee5957621be5afa29752f3b6d
https://lore.kernel.org/linux-cve-announce/2026050533-CVE-2026-43068-7bf7@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43068
https://www.cve.org/CVERecord?id=CVE-2026-43068

History

Wed, 20 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-237
References		https://lore.kernel.org/linux-cve-announce/2026050533-CVE-2026-43068-7bf7@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43068 https://www.cve.org/CVERecord?id=CVE-2026-43068
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Tue, 05 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal() There's issue as follows: ... EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 206 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2243 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): Delayed block allocation failed for inode 2239 at logical offset 0 with max blocks 1 with error 117 EXT4-fs (mmcblk0p1): This should not happen!! Data will be lost EXT4-fs (mmcblk0p1): error count since last fsck: 1 EXT4-fs (mmcblk0p1): initial error at time 1765597433: ext4_mb_generate_buddy:760 EXT4-fs (mmcblk0p1): last error at time 1765597433: ext4_mb_generate_buddy:760 ... According to the log analysis, blocks are always requested from the corrupted block group. This may happen as follows: ext4_mb_find_by_goal ext4_mb_load_buddy ext4_mb_load_buddy_gfp ext4_mb_init_cache ext4_read_block_bitmap_nowait ext4_wait_block_bitmap ext4_validate_block_bitmap if (!grp \|\| EXT4_MB_GRP_BBITMAP_CORRUPT(grp)) return -EFSCORRUPTED; // There's no logs. if (err) return err; // Will return error ext4_lock_group(ac->ac_sb, group); if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info))) // Unreachable goto out; After commit 9008a58e5dce ("ext4: make the bitmap read routines return real error codes") merged, Commit 163a203ddb36 ("ext4: mark block group as corrupt on block bitmap error") is no real solution for allocating blocks from corrupted block groups. This is because if 'EXT4_MB_GRP_BBITMAP_CORRUPT(e4b->bd_info)' is true, then 'ext4_mb_load_buddy()' may return an error. This means that the block allocation will fail. Therefore, check block group if corrupted when ext4_mb_load_buddy() returns error.
Title		ext4: avoid allocate block from corrupted group in ext4_mb_find_by_goal()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0b84571c886719823d537f05f4f07cad6357c4b7 https://git.kernel.org/stable/c/1895f7904be71c48f1e6f338b28f24dabd6b8aeb https://git.kernel.org/stable/c/1c0d7c4cde38a887c6d74e0c89ddb25226943c78 https://git.kernel.org/stable/c/2d31a5073f86a177edf44015e0dedb0c47cfd6d8 https://git.kernel.org/stable/c/46066e3a06647c5b186cc6334409722622d05c44 https://git.kernel.org/stable/c/9370207b36d26e45a8c8ef0500706d37036edd6b https://git.kernel.org/stable/c/fea6b2e250ff48f10d166011b57a8516ae5438c9 https://git.kernel.org/stable/c/ffc0a282462d45fee5957621be5afa29752f3b6d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-05T15:23:27.371Z

Updated: 2026-05-11T22:17:05.953Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43068

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-05T16:16:16.053

Modified: 2026-05-20T23:09:44.863

Link: CVE-2026-43068

Redhat

Severity : Low

Publid Date: 2026-05-05T00:00:00Z

Links: CVE-2026-43068 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-21T00:30:43Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object