CVE-2026-43153 - Vulnerability Details

- xfs: remove xfs_attr_leaf_hasname

Description

In the Linux kernel, the following vulnerability has been resolved:

xfs: remove xfs_attr_leaf_hasname

The calling convention of xfs_attr_leaf_hasname() is problematic, because
it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer
when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a
non-NULL buffer pointer for an already released buffer when
xfs_attr3_leaf_lookup_int fails with other error values.

Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so
that the buffer release code is done by each caller of
xfs_attr3_leaf_read.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw stemmed from mishandled buffer returns in the xfs_attr_leaf_hasname routine. Depending on the error code, the function returned either a valid, a NULL, or a dangling buffer. Subsequent releases by callers could attempt to free or dereference these buffers, creating classic use‑after‑free or double‑free conditions. An attacker with sufficient local access could trigger such an error path to cause a kernel panic or, if properly exploited, gain elevated privileges. The weakness is rooted in improper resource management and falls under the typical use‑after‑free and invalid free classes of vulnerabilities.

Affected Systems

All Linux kernel releases that incorporate the XFS filesystem and use the xfs_attr_leaf_hasname helper. Specific patch levels are not listed, so any kernel prior to the commit that removes the function is potentially vulnerable. The absence of version data means administrators should treat all current unpatched XFS‑enabled kernels as affected until a patch is confirmed applied.

Risk and Exploitability

The EPSS score is unavailable and the vulnerability is not yet listed in CISA’s KEV catalog, but the nature of the flaw – a kernel‑level memory corruption that can be triggered by an error path in filesystem operations – suggests a high severity CVSS. The attack would require local access or a privileged process to trigger the error condition, making the vector appear as a local privilege escalation scenario. The lack of a publicly known exploit at this time does not diminish the potential risk, especially for systems running unpatched kernels with XFS mounted.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`07120f1abdff80f3d1351f733661abe28d609535`	affected	< 2fbc8421d1db102c0e5458607e042a23a03648b1
`07120f1abdff80f3d1351f733661abe28d609535`	affected	< 457121c01f609b9934addbb04d5c1ef638c71c61
`07120f1abdff80f3d1351f733661abe28d609535`	affected	< 530082df991903f3330354e99e0cb7b05debfa86
`07120f1abdff80f3d1351f733661abe28d609535`	affected	< 3a65ea768b8094e4699e72f9ab420eb9e0f3f568

Linux

affected

Version	Status	Constraints
`5.9`	affected	—
`0`	unaffected	< 5.9
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[07120f1abdff80f3d1351f733661abe28d609535,2fbc8421d1db102c0e5458607e042a23a03648b1)`	affected	code_commit	—
`[07120f1abdff80f3d1351f733661abe28d609535,457121c01f609b9934addbb04d5c1ef638c71c61)`	affected	code_commit	—
`[07120f1abdff80f3d1351f733661abe28d609535,530082df991903f3330354e99e0cb7b05debfa86)`	affected	code_commit	—
`[07120f1abdff80f3d1351f733661abe28d609535,3a65ea768b8094e4699e72f9ab420eb9e0f3f568)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.9`	affected	semver	—
`[0,5.9)`	unaffected	generic	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that has removed the xfs_attr_leaf_hasname function and applied the surrounding patch commits.
If a kernel update is not immediately possible, disable XFS usage on affected hosts by unmounting XFS filesystems or removing XFS support modules.
As an interim measure, consider applying a custom patch to the kernel source that inlines the xfs_attr_leaf_hasname logic into callers, ensuring proper buffer release on every path, and rebuild the kernel.

Generated by OpenCVE AI on May 6, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2fbc8421d1db102c0e5458607e042a23a03648b1
https://git.kernel.org/stable/c/3a65ea768b8094e4699e72f9ab420eb9e0f3f568
https://git.kernel.org/stable/c/457121c01f609b9934addbb04d5c1ef638c71c61
https://git.kernel.org/stable/c/530082df991903f3330354e99e0cb7b05debfa86

History

Wed, 06 May 2026 14:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-590

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfs: remove xfs_attr_leaf_hasname The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read.
Title		xfs: remove xfs_attr_leaf_hasname
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2fbc8421d1db102c0e5458607e042a23a03648b1 https://git.kernel.org/stable/c/3a65ea768b8094e4699e72f9ab420eb9e0f3f568 https://git.kernel.org/stable/c/457121c01f609b9934addbb04d5c1ef638c71c61 https://git.kernel.org/stable/c/530082df991903f3330354e99e0cb7b05debfa86

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:34.446Z

Updated: 2026-05-06T11:27:34.446Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43153

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:33.073

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43153

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object