Description
In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

KASAN reports a use-after-free write of 4086 bytes in
ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on
a loop device. The actual bug is an out-of-bounds write past the inode
block buffer, not a true use-after-free. The write overflows into an
adjacent freed page, which KASAN reports as UAF.

The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk
id_count field to determine whether a write fits in inline data. On a
corrupted filesystem, id_count can exceed the physical maximum inline data
capacity, causing writes to overflow the inode block buffer.

Call trace (crash path):

vfs_copy_file_range (fs/read_write.c:1634)
do_splice_direct
splice_direct_to_actor
iter_file_splice_write
ocfs2_file_write_iter
generic_perform_write
ocfs2_write_end
ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
memcpy_from_folio <-- KASAN: write OOB

So add id_count upper bound check in ocfs2_validate_inode_block() to
alongside the existing i_size check to fix it.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Linux kernel occurs when the OCFS2 file system performs a copy_file_range operation on a corrupted OCFS2 filesystem mounted on a loop device. The function ocfs2_write_end_inline writes 4086 bytes past the end of the inode block buffer because the on-disk id_count value is not bounded by the physical inline data capacity. This out‑of‑bounds write corrupts an adjacent page in memory, which KASAN reports as a use‑after‑free. The corruption could overwrite kernel data structures or code, potentially leading to denial of service or arbitrary code execution.

Affected Systems

The affected products are Linux distributions that ship a Linux kernel with OCFS2 support. Any system running a kernel that includes the OCFS2 file system drivers and that mounts OCFS2 volumes, particularly if the filesystem has been corrupted, is at risk. No specific kernel version ranges are listed in the CVE data; therefore every kernel implementation of the affected code that has not yet been updated with the patch is potentially vulnerable.

Risk and Exploitability

The CVSS score is not provided; EPSS is not available, and the vulnerability is not in the CISA KEV catalog. The attack likely requires local access to the affected machine to create or exploit a corrupted OCFS2 filesystem that triggers the copy_file_range splice. An attacker who can mount such a filesystem or perform the copy_file_range operation may be able to provoke the out‑of‑bounds write, thereby corrupting kernel memory. Because the bug lies in kernel code, the risk of exploitation is significant if the attacker can influence the kernel’s I/O path.

Generated by OpenCVE AI on May 6, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the ocfs2_write_end_inline out‑of‑bounds write patch.
  • Run filesystem integrity checks and repair on all OCFS2 volumes to remove corruption, and consider re‑formatting the volume if damage is detected.
  • If an immediate kernel update is not possible, temporarily unmount or mount the affected OCFS2 filesystems as read‑only and restrict use of copy_file_range operations until the patch is applied.

Generated by OpenCVE AI on May 6, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it.
Title ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:40:03.337Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43075

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:20.463

Modified: 2026-05-06T10:16:20.463

Link: CVE-2026-43075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T11:30:26Z

Weaknesses