CVE-2026-43168 - Vulnerability Details

- ocfs2: fix reflink preserve cleanup issue

Description

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix reflink preserve cleanup issue

commit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error")
doesn't handle all cases and the cleanup job for preserved xattr entries
still has bug:
- the 'last' pointer should be shifted by one unit after cleanup
an array entry.
- current code logic doesn't cleanup the first entry when xh_count is 1.

Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The bug in the Linux kernel’s ocfs2 filesystem causes the cleanup routine for preserved extended attribute entries to malfunction. The code fails to shift the 'last' pointer after an entry is removed and also does not clean up the first entry when the count is one, creating dangling references that can lead to a use‑after‑free condition. An attacker with the ability to trigger the cleanup job could potentially manipulate kernel memory, leading to information disclosure, privilege escalation, or system crashes.

Affected Systems

The flaw resides in the ocfs2 module of the Linux kernel. No specific kernel version range is listed in the CVE data, so any kernel build compiled with ocfs2 prior to the inclusion of commit c06c303832ec is potentially vulnerable. The issue was reported through multiple kernel commits and is specific to the Linux kernel only.

Risk and Exploitability

The CVSS score is 5.5, and the EPSS score is < 1%. This vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local or privileged execution, where an attacker could trigger the buggy cleanup routine. Exploitation requires local or privileged execution to trigger the buggy cleanup routine, making the risk moderate to low for external attackers but potentially higher for compromised or privileged users. Given the lack of public exploitation evidence, the overall likelihood of exploitation is considered low, but careful monitoring is recommended.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0fe9b66c65f3ff227da45381afe7612f91e32740`	affected	< c44d86ca949cb1e5566ad14510cc26fa1a17e2d8
`0fe9b66c65f3ff227da45381afe7612f91e32740`	affected	< 02acc9f72365e50eb45a56b7dacb9114ca3b503c
`0fe9b66c65f3ff227da45381afe7612f91e32740`	affected	< 8ff329353134280b203cb2bce95311cb8f7cbd8a
`0fe9b66c65f3ff227da45381afe7612f91e32740`	affected	< bb273b68c1719c2925e05557f7e7099edb066680
`0fe9b66c65f3ff227da45381afe7612f91e32740`	affected	< b2952dbeac2c3c527cb0519d5ffaeb95b062466a
`0fe9b66c65f3ff227da45381afe7612f91e32740`	affected	< 3bdc3766aafb052aef4baadef455a84c1c0a059d
`0fe9b66c65f3ff227da45381afe7612f91e32740`	affected	< 2f4daccd9d9b8b2952df7878df8c2e8ba6439398
`0fe9b66c65f3ff227da45381afe7612f91e32740`	affected	< 5138c936c2c82c9be8883921854bc6f7e1177d8c

Linux

affected

Version	Status	Constraints
`2.6.32`	affected	—
`0`	unaffected	< 2.6.32
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[0fe9b66c65f3ff227da45381afe7612f91e32740,c44d86ca949cb1e5566ad14510cc26fa1a17e2d8)`	affected	code_commit	—
`[0fe9b66c65f3ff227da45381afe7612f91e32740,02acc9f72365e50eb45a56b7dacb9114ca3b503c)`	affected	code_commit	—
`[0fe9b66c65f3ff227da45381afe7612f91e32740,8ff329353134280b203cb2bce95311cb8f7cbd8a)`	affected	code_commit	—
`[0fe9b66c65f3ff227da45381afe7612f91e32740,bb273b68c1719c2925e05557f7e7099edb066680)`	affected	code_commit	—
`[0fe9b66c65f3ff227da45381afe7612f91e32740,b2952dbeac2c3c527cb0519d5ffaeb95b062466a)`	affected	code_commit	—
`[0fe9b66c65f3ff227da45381afe7612f91e32740,3bdc3766aafb052aef4baadef455a84c1c0a059d)`	affected	code_commit	—
`[0fe9b66c65f3ff227da45381afe7612f91e32740,2f4daccd9d9b8b2952df7878df8c2e8ba6439398)`	affected	code_commit	—
`[0fe9b66c65f3ff227da45381afe7612f91e32740,5138c936c2c82c9be8883921854bc6f7e1177d8c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.32`	affected	semver	—
`[0,2.6.32)`	unaffected	semver	—
`[5.10.252,5.11.0)`	unaffected	semver	—
`[5.15.202,5.16.0)`	unaffected	semver	—
`[6.1.165,6.2.0)`	unaffected	semver	—
`[6.6.128,6.7.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a release that includes commit c06c303832ec or newer, which fixes the ocfs2 xattr cleanup problem.
If the system does not require the ocfs2 filesystem, disable or remove it from the kernel configuration to eliminate the vulnerable code path.
Monitor kernel logs for signs of use‑after‑free or memory corruption that might indicate an exploitation attempt.

Generated by OpenCVE AI on May 13, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/02acc9f72365e50eb45a56b7dacb9114ca3b503c
https://git.kernel.org/stable/c/2f4daccd9d9b8b2952df7878df8c2e8ba6439398
https://git.kernel.org/stable/c/3bdc3766aafb052aef4baadef455a84c1c0a059d
https://git.kernel.org/stable/c/5138c936c2c82c9be8883921854bc6f7e1177d8c
https://git.kernel.org/stable/c/8ff329353134280b203cb2bce95311cb8f7cbd8a
https://git.kernel.org/stable/c/b2952dbeac2c3c527cb0519d5ffaeb95b062466a
https://git.kernel.org/stable/c/bb273b68c1719c2925e05557f7e7099edb066680
https://git.kernel.org/stable/c/c44d86ca949cb1e5566ad14510cc26fa1a17e2d8
https://lore.kernel.org/linux-cve-announce/2026050634-CVE-2026-43168-3cc3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43168
https://www.cve.org/CVERecord?id=CVE-2026-43168

History

Wed, 13 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-665

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026050634-CVE-2026-43168-3cc3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43168 https://www.cve.org/CVERecord?id=CVE-2026-43168

Wed, 06 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-665

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix reflink preserve cleanup issue commit c06c303832ec ("ocfs2: fix xattr array entry __counted_by error") doesn't handle all cases and the cleanup job for preserved xattr entries still has bug: - the 'last' pointer should be shifted by one unit after cleanup an array entry. - current code logic doesn't cleanup the first entry when xh_count is 1. Note, commit c06c303832ec is also a bug fix for 0fe9b66c65f3.
Title		ocfs2: fix reflink preserve cleanup issue
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/02acc9f72365e50eb45a56b7dacb9114ca3b503c https://git.kernel.org/stable/c/2f4daccd9d9b8b2952df7878df8c2e8ba6439398 https://git.kernel.org/stable/c/3bdc3766aafb052aef4baadef455a84c1c0a059d https://git.kernel.org/stable/c/5138c936c2c82c9be8883921854bc6f7e1177d8c https://git.kernel.org/stable/c/8ff329353134280b203cb2bce95311cb8f7cbd8a https://git.kernel.org/stable/c/b2952dbeac2c3c527cb0519d5ffaeb95b062466a https://git.kernel.org/stable/c/bb273b68c1719c2925e05557f7e7099edb066680 https://git.kernel.org/stable/c/c44d86ca949cb1e5566ad14510cc26fa1a17e2d8

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:44.570Z

Updated: 2026-05-11T22:19:06.078Z

Reserved: 2026-05-01T14:12:55.990Z

Link: CVE-2026-43168

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:35.060

Modified: 2026-05-13T14:51:05.960

Link: CVE-2026-43168

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43168 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-13T17:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object