HIGH
xfs AttrLeaf Corruption
CVE-2026-43153
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: xfs: remove xfs_attr_leaf_hasname The calling convention of xfs_attr_leaf_hasname() is problematic, because it returns a NULL buffer when xfs_attr3_leaf_read fails, a valid buffer when xfs_attr3_leaf_lookup_int returns -ENOATTR or -EEXIST, and a non-NULL buffer pointer for an already released buffer when xfs_attr3_leaf_lookup_int fails with other error values. Fix this by simply open coding xfs_attr_leaf_hasname in the callers, so that the buffer release code is done by each caller of xfs_attr3_leaf_read.
02KernelScan AI Analysis
Risk summary
Local users with filesystem access can trigger kernel crashes or memory corruption in XFS extended attribute handling. The vulnerability affects systems using XFS filesystems where users can manipulate extended attributes on files they have access to.
Vulnerability analysis
The root cause is a problematic calling convention in xfs_attr_leaf_hasname() that returns inconsistent buffer pointer states — NULL on read failure, valid on lookup success/failure, but a dangling pointer to an already-released buffer when xfs_attr3_leaf_lookup_int fails with other error values. This creates a use-after-free condition where callers, specifically xfs_attr_lookup(), may operate on a freed buffer and perform a double-release via xfs_trans_brelse(). The fix removes the problematic function entirely and open-codes the buffer management in each caller, ensuring proper buffer lifecycle management and preventing access to freed memory.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.75 | 2fbc8421d1db |
| 6.18 | 6.18.16 | 457121c01f60 |
| 6.19 | 6.19.6 | 530082df9919 |
| mainline | 7.0 | 3a65ea768b80 |