CVE-2026-43365 Overview
CVE-2026-43365 is a Linux kernel vulnerability in the XFS filesystem driver. The flaw resides in the log roundoff logic, where the incore log roundoff value defaults to 512 bytes when the superblock does not specify a log stripe unit. On disks with 4K physical sectors, this undersized value produces corrupt logs and unmountable filesystems. Affected systems trigger torn write (CRC failure) errors during log recovery, resulting in mount failures with error -74. The issue affects Linux kernel versions including 7.0 release candidates rc1, rc2, and rc3. Crafted or fuzzed on-disk superblocks can deliberately trigger the condition, escalating the impact beyond accidental mkfs misconfiguration.
Critical Impact
Filesystem corruption and denial of service through unmountable XFS volumes, with potential for limited integrity impact via crafted on-disk metadata.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0-rc1
- Linux Kernel 7.0-rc2 and 7.0-rc3
Discovery Timeline
- 2026-05-08 - CVE-2026-43365 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43365
Vulnerability Analysis
The vulnerability resides in the XFS log subsystem of the Linux kernel. XFS uses an l_iclog_roundoff value to align in-core log writes. When the superblock lacks a log stripe unit (sunit=0), the kernel falls back to a hardcoded 512-byte roundoff. On storage devices with 4K physical sectors and a log sector size of 4096, this 512-byte alignment is smaller than the underlying sector size. The mismatch causes log writes that do not align to physical sector boundaries, producing torn writes during recovery.
The resulting log state fails CRC verification at recovery time. The kernel emits messages such as Torn write (CRC failure) detected at log block and failed to locate log tail, ultimately returning error -74 and refusing to mount the filesystem. Attackers able to supply crafted superblock metadata can deliberately induce these conditions, treating the bug as a corruption primitive against XFS volumes.
Root Cause
The roundoff selection logic in the XFS mount path does not consider the log sector size when the superblock omits a stripe unit. The fallback constant of 512 predates commit a6a65fef5ef8d0 and assumes legacy 512-byte sector geometry. Modern Advanced Format drives with 4K physical sectors require alignment matching the log sector size, not the historical default.
Attack Vector
The issue is reachable through two scenarios. First, mkfs.xfs builds that generate filesystems with sectsz=4096 sunit=0 produce volumes that corrupt themselves on normal use. Second, anyone able to write or fuzz an on-disk XFS superblock can force the kernel into the undersized roundoff path. Mounting such a volume triggers log corruption and denial of service for the affected filesystem.
No verified public exploit code is available for this issue. Technical details are documented in the upstream commits referenced in the Kernel Git Commit 2ecda4b and related stable branch fixes.
Detection Methods for CVE-2026-43365
Indicators of Compromise
- Kernel log messages containing XFS followed by Torn write (CRC failure) detected at log block during mount.
- Mount failures returning error -74 with log mount/recovery failed messages in dmesg.
- XFS volumes reporting sectsz=4096 sunit=0 in xfs_info output on 4K physical-sector disks.
Detection Strategies
- Audit running kernel versions against the patched commits listed in the kernel.org stable tree references.
- Inventory XFS volumes using xfs_info and flag any volume with a 4096-byte log sector size and a zero log stripe unit.
- Correlate kernel ring buffer messages from journalctl -k with filesystem mount events to identify recovery failures.
Monitoring Recommendations
- Forward kernel logs to a centralized logging platform and alert on XFS CRC failure and log recovery error patterns.
- Track mount and unmount events on storage hosts, especially after firmware updates or disk replacements on 4K-sector media.
- Monitor for unexpected use of xfs_db or other low-level filesystem tools that can modify superblock fields.
How to Mitigate CVE-2026-43365
Immediate Actions Required
- Apply the upstream kernel patches from the stable tree commits referenced in the advisory and reboot affected hosts.
- Avoid mounting untrusted XFS images, especially those originating from external or unverified sources.
- Verify that mkfs.xfs on build systems is not producing filesystems with sectsz=4096 sunit=0 on 4K-sector media.
Patch Information
Fixes are available across multiple stable branches. Refer to the upstream commits: Kernel Git Commit 41e91df, Kernel Git Commit 446a1f5, Kernel Git Commit 52a8a1b, Kernel Git Commit 5afae52, Kernel Git Commit 5e71484, and Kernel Git Commit e88ce9f0. Distribution vendors are shipping backports through their normal update channels.
Workarounds
- Recreate affected filesystems with mkfs.xfs using an explicit log stripe unit matching the underlying sector size.
- Restrict the ability to attach or mount arbitrary block devices to privileged administrators only.
- Use read-only mounts for forensic analysis of suspect XFS images until the host kernel is patched.
# Verify XFS log geometry and inspect kernel for the fix
sudo xfs_info /dev/sda1 | grep -E 'sectsz|sunit'
uname -r
dmesg | grep -i 'XFS.*CRC failure'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
