{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-43067","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-01T14:12:55.981Z","datePublished":"2026-05-05T15:23:26.717Z","dateUpdated":"2026-05-11T22:17:04.744Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:17:04.744Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: handle wraparound when searching for blocks for indirect mapped blocks\n\nCommit 4865c768b563 (\"ext4: always allocate blocks only from groups\ninode can use\") restricts what blocks will be allocated for indirect\nblock based files to block numbers that fit within 32-bit block\nnumbers.\n\nHowever, when using a review bot running on the latest Gemini LLM to\ncheck this commit when backporting into an LTS based kernel, it raised\nthis concern:\n\n   If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal\n   group was populated via stream allocation from s_mb_last_groups),\n   then start will be >= ngroups.\n\n   Does this allow allocating blocks beyond the 32-bit limit for\n   indirect block mapped files? The commit message mentions that\n   ext4_mb_scan_groups_linear() takes care to not select unsupported\n   groups. However, its loop uses group = *start, and the very first\n   iteration will call ext4_mb_scan_group() with this unsupported\n   group because next_linear_group() is only called at the end of the\n   iteration.\n\nAfter reviewing the code paths involved and considering the LLM\nreview, I determined that this can happen when there is a file system\nwhere some files/directories are extent-mapped and others are\nindirect-block mapped.  To address this, add a safety clamp in\next4_mb_scan_groups()."}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/mballoc.c"],"versions":[{"version":"9d89b9d55e25cb340c5b4b769876edc551b7a9ff","lessThan":"f89bba144938921a2249237ad04a0183ff3f8930","status":"affected","versionType":"git"},{"version":"1b0edd6022a3f44ce87fea9959a9310f4628fbea","lessThan":"83170a05908b6cf2fb3235d3065bf613ff866f3c","status":"affected","versionType":"git"},{"version":"9eea2f57d11b30049ff996ac3eff6e0dc8089e5f","lessThan":"4bec4a498ce86314d470ae6144120461f2138c29","status":"affected","versionType":"git"},{"version":"34c803edc0b3365a42efcf9815acab63b4cf54e0","lessThan":"12624c5b724a81e14e532972b40d863b0de3b7d1","status":"affected","versionType":"git"},{"version":"321ed8d559c951e71ad2d2d69a4cf0445644e865","lessThan":"2a368ccddfc492a0aa951e2caef2985f20e96503","status":"affected","versionType":"git"},{"version":"4865c768b563deff1b6a6384e74a62f143427b42","lessThan":"bb81702370fad22c06ca12b6e1648754dbc37e0f","status":"affected","versionType":"git"},{"version":"16fce6b6c0b247258c6c217fce5a48abf50f6964","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/mballoc.c"],"versions":[{"version":"6.1.167","lessThan":"6.1.168","status":"affected","versionType":"semver"},{"version":"6.6.130","lessThan":"6.6.134","status":"affected","versionType":"semver"},{"version":"6.12.77","lessThan":"6.12.80","status":"affected","versionType":"semver"},{"version":"6.18.14","lessThan":"6.18.21","status":"affected","versionType":"semver"},{"version":"6.19.4","lessThan":"6.19.11","status":"affected","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.167","versionEndExcluding":"6.1.168"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.130","versionEndExcluding":"6.6.134"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.12.77","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.18.14","versionEndExcluding":"6.18.21"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19.4","versionEndExcluding":"6.19.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.203"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930"},{"url":"https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c"},{"url":"https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29"},{"url":"https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1"},{"url":"https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503"},{"url":"https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f"}],"title":"ext4: handle wraparound when searching for blocks for indirect mapped blocks","x_generator":{"engine":"bippy-1.2.0"}}}}