PT-2026-52270 · Linux · Linux
Published
2026-06-25
·
Updated
2026-06-25
·
CVE-2026-53174
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
In the Linux kernel, the following vulnerability has been resolved:
ovl: keep err zero after successful ovl cache get()
ovl iterate merged() stores PTR ERR(cache) in err before checking
IS ERR(cache). On success err holds the truncated cache pointer and
can be returned as a bogus non-zero error.
The syzbot reproducer reaches this through overlay-on-overlay readdir:
getdents64
iterate dir(outer overlay file)
ovl iterate merged()
ovl cache get()
ovl dir read merged()
ovl dir read()
iterate dir(inner overlay file)
ovl iterate merged()
Only compute PTR ERR(cache) on the error path.
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Linux