CVE-2026-43158 Overview
CVE-2026-43158 is a Linux kernel vulnerability in the XFS filesystem's extended attribute (xattr) handling code. The flaw resides in the leaf block freemap adjustment logic invoked when adding xattrs to leaf blocks. Inconsistent freemap entries cause the entries array and free space tracking to overlap, triggering a kernel assertion in xfs_attr3_leaf_add_work and shutting down the filesystem. The issue was reproduced through the xfs/592 and xfs/794 regression tests, as well as fsstress workloads setting local extended attributes with specific name and value lengths.
Critical Impact
A local user able to create extended attributes on an XFS filesystem can trigger a kernel assertion that shuts down the filesystem, resulting in denial of service.
Affected Products
- Linux kernel versions containing the XFS xattr leaf block freemap adjustment code prior to the referenced fix commits
- Distributions shipping vulnerable Linux kernels with XFS support enabled
- Systems using XFS as the filesystem for workloads that create extended attributes
Discovery Timeline
- 2026-05-06 - CVE-2026-43158 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43158
Vulnerability Analysis
The vulnerability lives in the XFS code path that adjusts the freemap array inside an extended attribute leaf block when a new xattr is added. The freemap array does not track every free byte in the leaf block; it tracks selected free regions. When the entries array grows to accommodate a new xattr entry, the code fails to update all freemap entries to reflect the new boundary of the entries array.
Under a workload that sets a local xattr with namelen=3 and valuelen=71 (an 80-byte entry), the freemap can end up reporting free space at a base offset that overlaps the entries array. The result is that the computed name area starts below the end of the entries array, violating the invariant ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf) and tripping the assertion.
Root Cause
The root cause is incomplete maintenance of the freemap array when the xattr entries array grows. After adding an entry, only a subset of freemap slots is updated, leaving stale base values that point into the region now occupied by the entries array. Subsequent allocations consume bytes from a region that is no longer free, producing a firstused value that violates the leaf block layout invariant. The fix relies on the prior commit 2a2b5932db6758 ("xfs: fix attr leaf header freemap.size underflow") and a preceding patch that resets zero-length freemap entries to base = 0.
Attack Vector
Exploitation requires local access and the ability to create extended attributes on an XFS filesystem. An attacker repeatedly setting xattrs with specific name and value lengths can drive the freemap into the inconsistent state. When the assertion fires, the kernel shuts the filesystem down, denying service to all users of that filesystem until remount or reboot. The issue is not described as enabling memory corruption beyond the leaf block bookkeeping shutdown.
No verified proof-of-concept code is published. The Linux kernel fsstress test tool reproduces the condition within roughly 20 minutes on test virtual machines. See the Kernel Git Commit Fix for the corrected freemap adjustment logic.
Detection Methods for CVE-2026-43158
Indicators of Compromise
- Kernel log entries reporting the assertion ASSERT(ichdr->firstused >= ichdr->count * sizeof(xfs_attr_leaf_entry_t) + xfs_attr3_leaf_hdr_size(leaf)) from XFS code paths.
- XFS filesystem shutdowns recorded in dmesg with messages referencing xfs_attr3_leaf_add_work or attribute leaf corruption.
- Unexpected XFS: Corruption detected or Filesystem has been shut down events on systems with active xattr workloads.
Detection Strategies
- Monitor kernel ring buffer and journalctl -k output for XFS assertion failures and forced shutdowns.
- Compare running kernel build IDs against the fix commits listed in the kernel.org references to identify hosts still running vulnerable code.
- Track abnormal filesystem unmount or remount events on XFS volumes hosting workloads that heavily use extended attributes (for example, SELinux labels, Samba ACLs).
Monitoring Recommendations
- Forward kernel logs from Linux endpoints to a centralized logging or SIEM platform and alert on XFS shutdown messages.
- Maintain an inventory of kernel versions across the fleet and flag hosts that have not yet absorbed the stable kernel update.
- Track local user processes that issue large volumes of setxattr syscalls against XFS-backed paths.
How to Mitigate CVE-2026-43158
Immediate Actions Required
- Apply the stable kernel update that includes the XFS xattr leaf freemap fix and reboot affected hosts.
- Identify XFS volumes that host untrusted local workloads and prioritize them for patching.
- Review backup and snapshot policies for XFS volumes to enable rapid recovery if a filesystem shutdown occurs before patching completes.
Patch Information
The fix is distributed across multiple stable kernel branches. Reference commits include 24ce71852f2c, 38613c01f69e, 3eefc0c2b784, 43f3b1867961, 6a8737afbccc, a396b3d73d51, d08976725355, and ef42a8766ff3. Apply the kernel update provided by your Linux distribution that incorporates these commits.
Workarounds
- Restrict local user access on systems running unpatched kernels to reduce the population of users who can create xattrs on XFS volumes.
- Where feasible, limit workloads that create large numbers of extended attributes on XFS until the patched kernel is deployed.
- Ensure XFS filesystems can be remounted without service interruption by validating recovery procedures in advance.
# Verify running kernel and check for XFS assertion events
uname -r
dmesg | grep -i -E 'xfs_attr3_leaf_add_work|XFS.*shutdown|xfs.*ASSERT'
journalctl -k --since "7 days ago" | grep -i xfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
