PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43474 Linux CVE debrief

CVE-2026-43474 is a Linux kernel vulnerability in file attribute handling where an uninitialized field was passed into vfs_fileattr_get(). The issue was confirmed by KMSAN as an uninit-value read in fuse_fileattr_get(), and the available fix initializes the relevant flags before the call. NVD rates the issue MEDIUM with a local, low-privilege impact focused on availability.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution kernel teams, and operators of systems running affected kernel versions should care, especially where FUSE or file attribute paths are in use. Security teams responsible for patching kernel packages should prioritize this as a stability and availability fix.

Technical summary

The kernel change addresses a missing initialization step in fs/file_attr.c: before calling vfs_fileattr_get(), the code now initializes flags_valid for the fa path, mirroring the established initialization pattern used in the internal file_kattr "*get" context. The bug surfaced as a KMSAN uninitialized-value report in fuse_fileattr_get() (fs/fuse/ioctl.c), indicating that an uninitialized local value could flow through file attribute retrieval logic. NVD maps the issue to CWE-908 and lists a CVSS v3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

Patch promptly. The flaw is local and primarily affects availability, but it sits in kernel filesystem code and has explicit upstream/stable fixes referenced by NVD, so kernel updates should be treated as high operational priority for affected systems.

Recommended defensive actions

  • Update Linux kernel packages to a build that includes the referenced fixes.
  • Verify whether your deployed kernel falls within the affected ranges listed by NVD: 6.17 before 6.18.19, 6.19 before 6.19.9, and 7.0-rc1/rc2.
  • Prioritize remediation on hosts that expose FUSE-based workflows or rely heavily on file attribute operations.
  • Track distro advisories and vendor kernel backports rather than relying only on upstream version numbers.
  • After updating, confirm the running kernel build matches the patched release in your fleet management records.

Evidence notes

This debrief is based on the supplied NVD CVE record and the linked kernel patch references. The description attributes the fix to initializing flags_valid before vfs_fileattr_get(), and the KMSAN trace in the record shows an uninitialized-value read in fuse_fileattr_get(). NVD marks the vulnerability as analyzed and provides the affected version ranges and CVSS vector. No exploit details are included here.

Official resources

Publicly disclosed in the CVE record on 2026-05-08; NVD marked the entry analyzed and updated it on 2026-05-21. The patch references provided by NVD point to kernel fixes.