CVE-2026-43067

EUVD-2026-27368
In the Linux kernel, the following vulnerability has been resolved:

ext4: handle wraparound when searching for blocks for indirect mapped blocks

Commit 4865c768b563 ("ext4: always allocate blocks only from groups
inode can use") restricts what blocks will be allocated for indirect
block based files to block numbers that fit within 32-bit block
numbers.

However, when using a review bot running on the latest Gemini LLM to
check this commit when backporting into an LTS based kernel, it raised
this concern:

   If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal
   group was populated via stream allocation from s_mb_last_groups),
   then start will be >= ngroups.

   Does this allow allocating blocks beyond the 32-bit limit for
   indirect block mapped files? The commit message mentions that
   ext4_mb_scan_groups_linear() takes care to not select unsupported
   groups. However, its loop uses group = *start, and the very first
   iteration will call ext4_mb_scan_group() with this unsupported
   group because next_linear_group() is only called at the end of the
   iteration.

After reviewing the code paths involved and considering the LLM
review, I determined that this can happen when there is a file system
where some files/directories are extent-mapped and others are
indirect-block mapped.  To address this, add a safety clamp in
ext4_mb_scan_groups().
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
linuxlinux_kernel
5.15.203 ≤
𝑥
< 5.16
linuxlinux_kernel
6.6.130 ≤
𝑥
< 6.6.134
linuxlinux_kernel
6.12.77 ≤
𝑥
< 6.12.80
linuxlinux_kernel
6.18.14 ≤
𝑥
< 6.18.21
linuxlinux_kernel
6.19.4 ≤
𝑥
< 6.19.11
linuxlinux_kernel
6.1.167
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.170-3
fixed
bookworm (security)
6.1.174-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.257-1
fixed
forky
7.0.12-2
fixed
sid
7.0.13-1
fixed
trixie
6.12.86-1
fixed
trixie (security)
6.12.94-1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bpftool6.12
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
bpftool6.12-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
bpftool6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
bpftool6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel-livepatch-6.12.80-105.147
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel-livepatch-6.18.25-52.107
Amazon Linux 2023
1:1.0-0.amzn2023
fixed
kernel6.12
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-debuginfo-common-aarch64
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-debuginfo-common-x86_64
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-devel
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-headers
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-libbpf
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-libbpf-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-libbpf-devel
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-libbpf-static
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-modules-extra
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-modules-extra-common
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-tools
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-tools-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.12-tools-devel
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
kernel6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo-common-aarch64
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-debuginfo-common-x86_64
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-devel
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-headers
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-modules-extra
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-modules-extra-common
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
kernel6.18-tools-devel
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
perf6.12
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
perf6.12-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
perf6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
python3-perf6.12
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
python3-perf6.12-debuginfo
Amazon Linux 2023
1:6.12.80-105.147.amzn2023
fixed
python3-perf6.18
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
python3-perf6.18-debuginfo
Amazon Linux 2023
1:6.18.25-52.107.amzn2023
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1
https://git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503
https://git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29
https://git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c
https://git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f
https://git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930