CVE-2026-43063 Overview
CVE-2026-43063 is a Linux kernel vulnerability in the XFS filesystem's log recovery code path. The flaw resides in xfs_attri_recover_work, which calls irele on an inode pointer after xlog_recovery_iget* returns an error. Because the recovery helpers never set the @ip output parameter to a valid pointer on failure, the subsequent irele operates on a dangling pointer. The issue affects extended attribute (attri) log item recovery during XFS journal replay.
Critical Impact
Dereferencing an uninitialized inode pointer during XFS log recovery can corrupt kernel memory or trigger a kernel oops, leading to denial of service or undefined behavior on systems mounting affected XFS volumes.
Affected Products
- Linux kernel (mainline) versions containing the XFS attri recovery code path prior to the fix
- Stable kernel branches receiving backports referenced by commits 40082d08, 70685c29, a1a5df10, and b5c5a50c
- Distributions shipping affected kernels with XFS as a supported filesystem
Discovery Timeline
- 2026-05-05 - CVE-2026-43063 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43063
Vulnerability Analysis
The vulnerability is a use-of-uninitialized-pointer issue in the XFS journal recovery subsystem. During log replay, xfs_attri_recover_work invokes xlog_recovery_iget (or its variants) to obtain an in-core inode reference for an extended attribute intent item. When this helper fails, it returns a non-zero error and leaves the caller's inode pointer (@ip) untouched rather than setting it to NULL.
The original error-handling path in xfs_attri_recover_work then called xfs_irele(ip) unconditionally to release the reference. Because ip retains whatever stack-resident value it held before the failed call, the release path walks an indeterminate pointer. The fix removes the erroneous irele from the failure branch so the kernel no longer touches an uninitialized inode reference.
Root Cause
The root cause is improper error-handling contract enforcement between caller and callee. xlog_recovery_iget* documents that @ip is only valid on success, but xfs_attri_recover_work treated it as always populated. This mismatch produced a dangling pointer dereference whenever inode lookup failed during recovery, such as when the targeted inode is corrupt, unallocated, or otherwise unreadable.
Attack Vector
Triggering the bug requires the kernel to replay an XFS log containing an extended attribute intent that references an inode the recovery code cannot fetch. This typically occurs when mounting a crafted or corrupted XFS image with a dirty log. An attacker capable of supplying a filesystem image, such as through removable media or a privileged mount operation, can induce the failed iget and provoke the dangling pointer dereference.
The vulnerability was described in prose by upstream maintainers; refer to the kernel commit a1a5df10 for the fix and the related stable backports for the precise diff.
Detection Methods for CVE-2026-43063
Indicators of Compromise
- Kernel oops or general protection fault traces with xfs_attri_recover_work or xfs_irele on the call stack
- Mount-time failures or panics on XFS volumes with a dirty journal
- dmesg entries showing XFS log recovery errors followed by null or invalid pointer dereferences
Detection Strategies
- Audit installed kernel package versions across Linux fleets and compare against fixed releases referenced in the upstream commits
- Monitor crash dumps and kdump output for stack traces involving XFS recovery functions
- Inspect host telemetry for unexpected reboots or kernel panics correlated with mount operations on XFS filesystems
Monitoring Recommendations
- Forward kernel ring buffer (dmesg) and journalctl -k output to a central logging platform for pattern analysis
- Alert on repeated mount failures of XFS volumes, particularly those involving external media or untrusted images
- Track kernel build versions through configuration management to confirm patch deployment status
How to Mitigate CVE-2026-43063
Immediate Actions Required
- Apply the upstream Linux kernel patch or distribution-provided update that includes the XFS attri recovery fix
- Restrict the ability of unprivileged users to mount untrusted XFS filesystem images, including via removable media policies
- Validate XFS filesystem integrity using xfs_repair before remounting volumes that experienced unclean shutdowns
Patch Information
The fix is committed upstream and backported to stable trees. Reference the following commits: a1a5df10, 40082d08, 70685c29, and b5c5a50c. Rebuild and reboot affected hosts after installing the updated kernel package.
Workarounds
- Avoid mounting XFS filesystems originating from untrusted sources until the patched kernel is installed
- Use udev rules or mount policies to block automatic mounting of removable XFS volumes on multi-user systems
- Where feasible, run xfs_repair -L on quiesced volumes to clear dirty logs before remounting on unpatched kernels
# Verify running kernel and check for the fix
uname -r
# On Debian/Ubuntu, update the kernel package
sudo apt-get update && sudo apt-get install --only-upgrade linux-image-$(uname -r)
# On RHEL/Rocky/Alma, update via dnf
sudo dnf update kernel
# Reboot to load the patched kernel
sudo systemctl reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
