ext4: handle wraparound when searching for blocks for indirect mapped...

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

ext4: handle wraparound when searching for blocks for indirect mapped blocks

Commit 4865c768b563 ("ext4: always allocate blocks only from groups
inode can use") restricts what blocks will be allocated for indirect
block based files to block numbers that fit within 32-bit block
numbers.

However, when using a review bot running on the latest Gemini LLM to
check this commit when backporting into an LTS based kernel, it raised
this concern:

If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal
group was populated via stream allocation from s_mb_last_groups),
then start will be >= ngroups.

Does this allow allocating blocks beyond the 32-bit limit for
indirect block mapped files? The commit message mentions that
ext4_mb_scan_groups_linear() takes care to not select unsupported
groups. However, its loop uses group = *start, and the very first
iteration will call ext4_mb_scan_group() with this unsupported
group because next_linear_group() is only called at the end of the
iteration.

After reviewing the code paths involved and considering the LLM
review, I determined that this can happen when there is a file system
where some files/directories are extent-mapped and others are
indirect-block mapped. To address this, add a safety clamp in
ext4_mb_scan_groups().

AI Analysis

A vulnerability in the Linux kernel allows for the allocation of blocks beyond the 32-bit limit for indirect block mapped files, potentially leading to data corruption or other security issues.

Basic Information

ID CVE-2026-43067

Source Linux

Published May 5, 2026 at 15:23

Modified May 8, 2026 at 12:40

Affected Product

Vendor Linux

Product Linux

Version 9d89b9d55e25cb340c5b4b769876edc551b7a9ff

Affected Versions Linux Linux 9d89b9d55e25cb340c5b4b769876edc551b7a9ff
Linux Linux 1b0edd6022a3f44ce87fea9959a9310f4628fbea
Linux Linux 9eea2f57d11b30049ff996ac3eff6e0dc8089e5f
Linux Linux 34c803edc0b3365a42efcf9815acab63b4cf54e0
Linux Linux 321ed8d559c951e71ad2d2d69a4cf0445644e865
Linux Linux 4865c768b563deff1b6a6384e74a62f143427b42
Linux Linux 16fce6b6c0b247258c6c217fce5a48abf50f6964
Linux Linux 6.1.167
Linux Linux 6.6.130
Linux Linux 6.12.77
Linux Linux 6.18.14
Linux Linux 6.19.4

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Linux

Product Linux Kernel

Version 6.1.167, 6.6.130, 6.12.77, 6.18.14, 6.19.4

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n   If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n   group was populated via stream allocation from s_mb_last_groups),\n   then start will be >= ngroups.\n\n   Does this allow allocating blocks beyond the 32-bit limit for\n   indirect block mapped files? The commit message mentions that\n   ext4_mb_scan_groups_linear() takes care to not select unsupported\n   groups. However, its loop uses group = *start, and the very first\n   iteration will call ext4_mb_scan_group() with this unsupported\n   group because next_linear_group() is only called at the end of the\n   iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped.  To address this, add a safety clamp in\next4_mb_scan_groups().",
    "published": "2026-05-05T15:23:26.717Z",
    "modified": "2026-05-08T12:40:18.665Z",
    "type": "cve",
    "title": "ext4: handle wraparound when searching for blocks for indirect mapped blocks",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930\nhttps://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c\nhttps://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29\nhttps://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1\nhttps://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503\nhttps://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f",
    "id": "CVE-2026-43067",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 9d89b9d55e25cb340c5b4b769876edc551b7a9ff\nLinux Linux 1b0edd6022a3f44ce87fea9959a9310f4628fbea\nLinux Linux 9eea2f57d11b30049ff996ac3eff6e0dc8089e5f\nLinux Linux 34c803edc0b3365a42efcf9815acab63b4cf54e0\nLinux Linux 321ed8d559c951e71ad2d2d69a4cf0445644e865\nLinux Linux 4865c768b563deff1b6a6384e74a62f143427b42\nLinux Linux 16fce6b6c0b247258c6c217fce5a48abf50f6964\nLinux Linux 6.1.167\nLinux Linux 6.6.130\nLinux Linux 6.12.77\nLinux Linux 6.18.14\nLinux Linux 6.19.4",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "9d89b9d55e25cb340c5b4b769876edc551b7a9ff",
    "vendor": "Linux",
    "ai_description": "A vulnerability in the Linux kernel allows for the allocation of blocks beyond the 32-bit limit for indirect block mapped files, potentially leading to data corruption or other security issues.",
    "ai_severity": "Critical",
    "ai_vendor": "Linux",
    "ai_product": "Linux Kernel",
    "ai_version": "6.1.167, 6.6.130, 6.12.77, 6.18.14, 6.19.4",
    "ai_score": 9.8
}

ext4: handle wraparound when searching for blocks for indirect mapped blocks_CVE-2026-43067