CVE-2026-43076

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: validate inline data i size during inode read

When reading an inode from disk, ocfs2 validate inode block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i size can exceed the actual inline data capacity (id count).

This causes ocfs2 dir foreach blk id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory.

In the syzbot report:

i size was 1099511627576 bytes (~1TB)
Actual inline data capacity (id count) is typically <256 bytes
A garbage rec len (54648) caused ctx->pos to jump out of bounds
This triggered a UAF in ocfs2 check dir entry()

Fix by adding a validation check in ocfs2 validate inode block() to ensure inodes with inline data have i size <= id count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-43076

Affected Products

Linux

CVE-2026-43076

Related Identifiers

Affected Products

References · 6