PT-2026-37386 · Linux · Linux
Syzbot
·
Published
2026-05-06
·
Updated
2026-05-06
·
CVE-2026-43076
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
In the Linux kernel, the following vulnerability has been resolved:
ocfs2: validate inline data i size during inode read
When reading an inode from disk, ocfs2 validate inode block() performs
various sanity checks but does not validate the size of inline data. If
the filesystem is corrupted, an inode's i size can exceed the actual
inline data capacity (id count).
This causes ocfs2 dir foreach blk id() to iterate beyond the inline data
buffer, triggering a use-after-free when accessing directory entries from
freed memory.
In the syzbot report:
- i size was 1099511627576 bytes (~1TB)
- Actual inline data capacity (id count) is typically <256 bytes
- A garbage rec len (54648) caused ctx->pos to jump out of bounds
- This triggered a UAF in ocfs2 check dir entry()
Fix by adding a validation check in ocfs2 validate inode block() to ensure
inodes with inline data have i size <= id count. This catches the
corruption early during inode read and prevents all downstream code from
operating on invalid data.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux