Cyber Resilience

CVE-2026-43067

Critical

Published: 05 May 2026

Published
05 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 32.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-43067 is a critical-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as APIs and Models; in the Other ATLAS/OWASP Terms risk domain.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: ext4: handle wraparound when searching for blocks for indirect mapped blocks Commit 4865c768b563 ("ext4: always allocate blocks only from groups inode can use") restricts what blocks will be allocated for…

more

indirect block based files to block numbers that fit within 32-bit block numbers. However, when using a review bot running on the latest Gemini LLM to check this commit when backporting into an LTS based kernel, it raised this concern: If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal group was populated via stream allocation from s_mb_last_groups), then start will be >= ngroups. Does this allow allocating blocks beyond the 32-bit limit for indirect block mapped files? The commit message mentions that ext4_mb_scan_groups_linear() takes care to not select unsupported groups. However, its loop uses group = *start, and the very first iteration will call ext4_mb_scan_group() with this unsupported group because next_linear_group() is only called at the end of the iteration. After reviewing the code paths involved and considering the LLM review, I determined that this can happen when there is a file system where some files/directories are extent-mapped and others are indirect-block mapped. To address this, add a safety clamp in ext4_mb_scan_groups().

CWE(s)

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: gemini, llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel ext4 block allocator flaw enables local exploitation for privilege escalation via crafted FS operations or allocation triggers leading to corruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

linux
linux kernel
6.1.167 · 5.15.203 — 5.16 · 6.6.130 — 6.6.134 · 6.12.77 — 6.12.80

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References