Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
High

Linux kernel XFS undersized l_iclog_roundoff log corruption vulnerability

IdentifiersCVE-2026-43365CWE-1284

CVE-2026-43365 is a vulnerability in the Linux kernel's XFS filesystem code caused by incorrect handling of the in-core log roundoff value (l_iclog_roundoff). When the XFS superblock does not specify a log stripe unit, the kernel can set the roundoff value to 512 bytes even when the log sector size is 4096 bytes. On affected filesystems, particularly those using 4K physical sectors, this mismatch can result in torn-write CRC failures, corrupted XFS journal/log state, and subsequent log recovery or mount failures. The issue is described by the upstream fix as "xfs: fix undersized l_iclog_roundoff values." The provided diagnostic output shows CRC failure detection in the log, inability to locate the log tail, and log mount/recovery failure with error -74. The content also notes that malformed filesystems can be produced by a broken mkfs in current xfsprogs for-next, and that a fuzzed on-disk superblock can also trigger the unsafe condition.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of this flaw can corrupt the XFS log and render the filesystem unmountable or unable to recover its journal during mount. The primary security impact is high availability loss, with limited integrity impact due to log corruption. The supplied CVSS vectors reflect no confidentiality impact, low integrity impact, and high availability impact.

Mitigation

If you can’t patch tonight, do this now.

Until patched kernels and corrected filesystem creation tools are deployed, reduce exposure by avoiding creation or use of XFS filesystems with inconsistent log geometry, especially on storage with 4K physical sectors where the superblock log stripe unit is absent or malformed. Validate XFS superblock and log parameters on newly created filesystems, and avoid mounting or trusting malformed or fuzzed XFS images from untrusted sources. If operationally feasible, restrict use of affected XFS volumes until updated kernels are installed.

Remediation

Patch, then assume compromise.

Apply a Linux kernel update containing the upstream XFS fix for undersized l_iclog_roundoff handling. Vendor guidance in the provided content indicates that SUSE has shipped fixes in multiple kernel update advisories across affected product lines. Where applicable, also use corrected xfsprogs/mkfs tooling so that newly created filesystems do not inherit the broken on-disk configuration described in the content.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
LinuxLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

5 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-43365
NVD
nvd.nist.gov/vuln/detail/CVE-2026-43365
MITRE CWE · CWE-1284
cwe.mitre.org
Patch
git.kernel.org/stable/c/2ecda4b83749c1fef0c9dea4fd5e8b513aba3e40
Patch
git.kernel.org/stable/c/41e91dff2d3974730b5ee50daa8e27ec254cbf91
Patch
git.kernel.org/stable/c/446a1f5bb64ba38adb93cb043ff0f7b85e8937ca
Patch
git.kernel.org/stable/c/52a8a1ba883defbfe3200baa22cf4cd21985d51a
Patch
git.kernel.org/stable/c/5afae524f83d6a18517298491a5624cb0eae5029
Patch
git.kernel.org/stable/c/5e7148402dfc4a5b7894d8e97b15e5c2e70924aa
Patch
git.kernel.org/stable/c/e88ce9f0536f3b2149afb70625cfc4bd74a4ac6d