HIGH
xfs AttriRecover Deref
CVE-2026-43063
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
KernelScan AI4.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: xfs: don't irele after failing to iget in xfs_attri_recover_work xlog_recovery_iget* never set @ip to a valid pointer if they return an error, so this irele will walk off a dangling pointer. Fix that.
02KernelScan AI Analysis
Risk summary
Systems using XFS filesystems are at risk of kernel crashes during log recovery operations. The vulnerability is triggered when a corrupted or maliciously crafted XFS image causes inode retrieval to fail during extended-attribute log recovery, leading to an uninitialized pointer dereference in the error path. Exploitation requires an attacker to mount an XFS filesystem needing recovery, which requires elevated privileges. The primary impact is a denial of service (kernel panic).
Vulnerability analysis
The vulnerability exists in the XFS extended-attribute log recovery path (xfs_attri_recover_work). The xlog_recovery_iget functions return an error without initializing the inode pointer @ip on failure. The original code then incorrectly called xfs_irele(ip) in the error path, dereferencing an uninitialized pointer and causing a kernel oops or panic. The fix removes the erroneous irele call. Because the trigger is during XFS mount-time log recovery, the attacker must be able to cause the system to mount an XFS filesystem in a recovery state. Mounting XFS block devices requires CAP_SYS_ADMIN in the initial user namespace (root-equivalent privileges). The attack complexity is high because it requires crafting a filesystem image that produces a specific log intent item and induces an iget failure during recovery.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.80 | b5c5a50c2f51 |
| 6.18 | 6.18.21 | a1a5df1038f0 |
| 6.19 | 6.19.11 | 40082d08b638 |
| mainline | 7.0 | 70685c291ef8 |