CVE-2026-43288
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/05/2026
Last modified:
15/05/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
ext4: move ext4_percpu_param_init() before ext4_mb_init()<br />
<br />
When running `kvm-xfstests -c ext4/1k -C 1 generic/383` with the<br />
`DOUBLE_CHECK` macro defined, the following panic is triggered:<br />
<br />
==================================================================<br />
EXT4-fs error (device vdc): ext4_validate_block_bitmap:423:<br />
comm mount: bg 0: bad block bitmap checksum<br />
BUG: unable to handle page fault for address: ff110000fa2cc000<br />
PGD 3e01067 P4D 3e02067 PUD 0<br />
Oops: Oops: 0000 [#1] SMP NOPTI<br />
CPU: 0 UID: 0 PID: 2386 Comm: mount Tainted: G W<br />
6.18.0-gba65a4e7120a-dirty #1152 PREEMPT(none)<br />
RIP: 0010:percpu_counter_add_batch+0x13/0xa0<br />
Call Trace:<br />
<br />
ext4_mark_group_bitmap_corrupted+0xcb/0xe0<br />
ext4_validate_block_bitmap+0x2a1/0x2f0<br />
ext4_read_block_bitmap+0x33/0x50<br />
mb_group_bb_bitmap_alloc+0x33/0x80<br />
ext4_mb_add_groupinfo+0x190/0x250<br />
ext4_mb_init_backend+0x87/0x290<br />
ext4_mb_init+0x456/0x640<br />
__ext4_fill_super+0x1072/0x1680<br />
ext4_fill_super+0xd3/0x280<br />
get_tree_bdev_flags+0x132/0x1d0<br />
vfs_get_tree+0x29/0xd0<br />
vfs_cmd_create+0x59/0xe0<br />
__do_sys_fsconfig+0x4f6/0x6b0<br />
do_syscall_64+0x50/0x1f0<br />
entry_SYSCALL_64_after_hwframe+0x76/0x7e<br />
==================================================================<br />
<br />
This issue can be reproduced using the following commands:<br />
mkfs.ext4 -F -q -b 1024 /dev/sda 5G<br />
tune2fs -O quota,project /dev/sda<br />
mount /dev/sda /tmp/test<br />
<br />
With DOUBLE_CHECK defined, mb_group_bb_bitmap_alloc() reads<br />
and validates the block bitmap. When the validation fails,<br />
ext4_mark_group_bitmap_corrupted() attempts to update<br />
sbi->s_freeclusters_counter. However, this percpu_counter has not been<br />
initialized yet at this point, which leads to the panic described above.<br />
<br />
Fix this by moving the execution of ext4_percpu_param_init() to occur<br />
before ext4_mb_init(), ensuring the per-CPU counters are initialized<br />
before they are used.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.17 (including) | 6.6.128 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.12.75 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (including) | 6.18.16 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (including) | 6.19.6 (excluding) |
| cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0d5fcb063cdabb9aeaa8554b7fedad2092c4150e
- https://git.kernel.org/stable/c/270564513489d98b721a1e4a10017978d5213bff
- https://git.kernel.org/stable/c/9e9fb259bcddf459a0168f4a964e979e500a68a5
- https://git.kernel.org/stable/c/aec095f3cc6cf209effd93278ce35be27db81d73
- https://git.kernel.org/stable/c/bf5b609524497c195f801cd5707252384aed8149