Description
In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

KASAN reports a use-after-free write of 4086 bytes in
ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a
copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on
a loop device. The actual bug is an out-of-bounds write past the inode
block buffer, not a true use-after-free. The write overflows into an
adjacent freed page, which KASAN reports as UAF.

The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk
id_count field to determine whether a write fits in inline data. On a
corrupted filesystem, id_count can exceed the physical maximum inline data
capacity, causing writes to overflow the inode block buffer.

Call trace (crash path):

vfs_copy_file_range (fs/read_write.c:1634)
do_splice_direct
splice_direct_to_actor
iter_file_splice_write
ocfs2_file_write_iter
generic_perform_write
ocfs2_write_end
ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)
ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)
memcpy_from_folio <-- KASAN: write OOB

So add id_count upper bound check in ocfs2_validate_inode_block() to
alongside the existing i_size check to fix it.
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out-of-bounds write (CWE-1284 and CWE-787) occurs in the Linux kernel when the OCFS2 file system performs a copy_file_range operation on a corrupted OCFS2 filesystem mounted on a loop device. The function ocfs2_write_end_inline writes 4086 bytes beyond the inode block buffer because the on‑disk id_count field is trusted without validation, allowing it to exceed the physical inline data capacity. This overflow corrupts an adjacent freed page, leading to memory corruption that could overwrite kernel data structures or code and potentially result in denial of service or arbitrary code execution.

Affected Systems

Systems that run a Linux kernel with OCFS2 support and mount OCFS2 volumes are affected. The CVE does not list version ranges, so any kernel build that contains the vulnerable ocfs2_write_end_inline implementation and has not been patched is at risk, especially when the filesystem is corrupted.

Risk and Exploitability

With a CVSS score of 7.8, the vulnerability is classified as high severity. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires local or privileged access to create or exploit a corrupted OCFS2 filesystem that triggers the copy_file_range splice. An attacker who can mount such a filesystem or perform that operation could provoke the out-of-bounds write, corrupting kernel memory and potentially escalating to higher privileges. Given that the flaw resides in kernel code, the impact remains significant if exploitation conditions are met.

Generated by OpenCVE AI on May 21, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the ocfs2_write_end_inline out-of-bounds write patch.
  • Run filesystem integrity checks and repair or reformat OCFS2 volumes to eliminate corruption.
  • If a kernel upgrade is not immediately possible, unmount or mount the affected OCFS2 filesystems read‑only and restrict copy_file_range usage until the patch is applied.

Generated by OpenCVE AI on May 21, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:o:linux:linux_kernel:2.6.24:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it.
Title ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:14.141Z

Reserved: 2026-05-01T14:12:55.982Z

Link: CVE-2026-43075

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:20.463

Modified: 2026-05-20T23:19:40.187

Link: CVE-2026-43075

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43075 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T00:30:43Z

Weaknesses