ext4: handle wraparound when searching for blocks for indirect mapped blocks

Summary

CVE	CVE-2026-43067
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-05 16:16:15 UTC
Updated	2026-05-06 13:08:07 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: ext4: handle wraparound when searching for blocks for indirect mapped blocks Commit 4865c768b563 ("ext4: always allocate blocks only from groups inode can use") restricts what blocks will be allocated for indirect block based files to block numbers that fit within 32-bit block numbers. However, when using a review bot running on the latest Gemini LLM to check this commit when backporting into an LTS based kernel, it raised this concern: If ac->ac_g_ex.fe_group is >= ngroups (for instance, if the goal group was populated via stream allocation from s_mb_last_groups), then start will be >= ngroups. Does this allow allocating blocks beyond the 32-bit limit for indirect block mapped files? The commit message mentions that ext4_mb_scan_groups_linear() takes care to not select unsupported groups. However, its loop uses group = *start, and the very first iteration will call ext4_mb_scan_group() with this unsupported group because next_linear_group() is only called at the end of the iteration. After reviewing the code paths involved and considering the LLM review, I determined that this can happen when there is a file system where some files/directories are extent-mapped and others are indirect-block mapped. To address this, add a safety clamp in ext4_mb_scan_groups().

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 9d89b9d55e25cb340c5b4b769876edc551b7a9ff f89bba144938921a2249237ad04a0183ff3f8930 git	Not specified
CNA	Linux	Linux	affected 1b0edd6022a3f44ce87fea9959a9310f4628fbea 83170a05908b6cf2fb3235d3065bf613ff866f3c git	Not specified
CNA	Linux	Linux	affected 9eea2f57d11b30049ff996ac3eff6e0dc8089e5f 4bec4a498ce86314d470ae6144120461f2138c29 git	Not specified
CNA	Linux	Linux	affected 34c803edc0b3365a42efcf9815acab63b4cf54e0 12624c5b724a81e14e532972b40d863b0de3b7d1 git	Not specified
CNA	Linux	Linux	affected 321ed8d559c951e71ad2d2d69a4cf0445644e865 2a368ccddfc492a0aa951e2caef2985f20e96503 git	Not specified
CNA	Linux	Linux	affected 4865c768b563deff1b6a6384e74a62f143427b42 bb81702370fad22c06ca12b6e1648754dbc37e0f git	Not specified
CNA	Linux	Linux	affected 16fce6b6c0b247258c6c217fce5a48abf50f6964 git	Not specified
CNA	Linux	Linux	affected 6.1.167 6.1.168 semver	Not specified
CNA	Linux	Linux	affected 6.6.130 6.6.134 semver	Not specified
CNA	Linux	Linux	affected 6.12.77 6.12.80 semver	Not specified
CNA	Linux	Linux	affected 6.18.14 6.18.21 semver	Not specified
CNA	Linux	Linux	affected 6.19.4 6.19.11 semver	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/f89bba144938921a2249237ad04a0183ff3f8930	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/12624c5b724a81e14e532972b40d863b0de3b7d1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/4bec4a498ce86314d470ae6144120461f2138c29	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/83170a05908b6cf2fb3235d3065bf613ff866f3c	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/2a368ccddfc492a0aa951e2caef2985f20e96503	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/bb81702370fad22c06ca12b6e1648754dbc37e0f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.