CVE-2026-43474 - Vulnerability Details

- fs: init flags_valid before calling vfs_fileattr_get

Description

In the Linux kernel, the following vulnerability has been resolved:

fs: init flags_valid before calling vfs_fileattr_get

syzbot reported a uninit-value bug in [1].

Similar to the "*get" context where the kernel's internal file_kattr
structure is initialized before calling vfs_fileattr_get(), we should
use the same mechanism when using fa.

[1]
BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517
vfs_fileattr_get fs/file_attr.c:94 [inline]
__do_sys_file_getattr fs/file_attr.c:416 [inline]

Local variable fa.i created at:
__do_sys_file_getattr fs/file_attr.c:380 [inline]
__se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372

Published: 2026-05-08

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A fault in the Linux kernel caused a local variable to remain uninitialized before the function vfs_fileattr_get was invoked, as discovered by KMSAN in a FUSE file attribute retrieval call. The defect is an Uninitialized Variable use vulnerability that may result in the kernel reading garbage data, leading to unpredictable behavior or the accidental exposure of kernel memory contents. The CVE description does not explicitly confirm concrete disclosure or denial‑of‑service scenarios, so any impact is inferred from the nature of the fault.

Affected Systems

All Linux kernel releases before the commit that added initialization of the flags_valid flag (identified by commit c379e19e820dd1c6145426b97467728b3b89c0b42) are affected. The vulnerability applies to the Linux kernel itself, regardless of the distribution, as the kernel source is shared across distributions.

Risk and Exploitability

No CVSS score has been published for this issue, but the EPSS score is reported as < 1 %, indicating a very low probability of exploitation. It is not listed in CISA’s KEV catalog. The defect can be triggered only with local system access that allows file attribute operations, so the attack surface is limited to local users who can invoke getattr or related syscalls. Overall, the risk is considered low to moderate, primarily due to the low exploitation probability and local nature of the flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`be7efb2d20d67f334a7de2aef77ae6c69367e646`	affected	< 379e19e820dd1c6145426b97467728b3b89c0b42
`be7efb2d20d67f334a7de2aef77ae6c69367e646`	affected	< b8c182b2c8c44c6016b11d8af61715ad7ef958a1
`be7efb2d20d67f334a7de2aef77ae6c69367e646`	affected	< cb184dd19154fc486fa3d9e02afe70a97e54e055

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.19`	unaffected	≤ 6.18.*
`6.19.9`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,379e19e820dd1c6145426b97467728b3b89c0b42)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b8c182b2c8c44c6016b11d8af61715ad7ef958a1)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cb184dd19154fc486fa3d9e02afe70a97e54e055)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.19,6.19.0)`	unaffected	semver	—
`[6.19.9,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Linux kernel version that includes the patch for commit c379e19e820dd1c6145426b97467728b3b89c0b42 or later
If an upgrade is not immediately possible, apply the fix by the same change that initializes flags_valid before calling vfs_fileattr_get into the running kernel source and rebuild the kernel
After installing the new kernel, reboot the system and verify that the uninitialized‑value issue no longer surfaces in kernel debugging tools such as KMSAN or through routine system calls

Generated by OpenCVE AI on May 9, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42
https://git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1
https://git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055
https://lore.kernel.org/linux-cve-announce/2026050806-CVE-2026-43474-36a6@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43474
https://www.cve.org/CVERecord?id=CVE-2026-43474

History

Sat, 09 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-457

Sat, 09 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-908
References		https://lore.kernel.org/linux-cve-announce/2026050806-CVE-2026-43474-36a6@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43474 https://www.cve.org/CVERecord?id=CVE-2026-43474

Fri, 08 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-457

Fri, 08 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fs: init flags_valid before calling vfs_fileattr_get syzbot reported a uninit-value bug in [1]. Similar to the "*get" context where the kernel's internal file_kattr structure is initialized before calling vfs_fileattr_get(), we should use the same mechanism when using fa. [1] BUG: KMSAN: uninit-value in fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 fuse_fileattr_get+0xeb4/0x1450 fs/fuse/ioctl.c:517 vfs_fileattr_get fs/file_attr.c:94 [inline] __do_sys_file_getattr fs/file_attr.c:416 [inline] Local variable fa.i created at: __do_sys_file_getattr fs/file_attr.c:380 [inline] __se_sys_file_getattr+0x8c/0xbd0 fs/file_attr.c:372
Title		fs: init flags_valid before calling vfs_fileattr_get
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/379e19e820dd1c6145426b97467728b3b89c0b42 https://git.kernel.org/stable/c/b8c182b2c8c44c6016b11d8af61715ad7ef958a1 https://git.kernel.org/stable/c/cb184dd19154fc486fa3d9e02afe70a97e54e055

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T14:22:32.871Z

Updated: 2026-05-09T04:11:08.098Z

Reserved: 2026-05-01T14:12:56.011Z

Link: CVE-2026-43474

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-08T15:17:00.577

Modified: 2026-05-08T15:17:00.577

Link: CVE-2026-43474

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43474 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-09T16:30:37Z

Weaknesses

CWE-908

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object