Description
In the Linux kernel, the following vulnerability has been resolved:

ocfs2: validate inline data i_size during inode read

When reading an inode from disk, ocfs2_validate_inode_block() performs
various sanity checks but does not validate the size of inline data. If
the filesystem is corrupted, an inode's i_size can exceed the actual
inline data capacity (id_count).

This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data
buffer, triggering a use-after-free when accessing directory entries from
freed memory.

In the syzbot report:
- i_size was 1099511627576 bytes (~1TB)
- Actual inline data capacity (id_count) is typically <256 bytes
- A garbage rec_len (54648) caused ctx->pos to jump out of bounds
- This triggered a UAF in ocfs2_check_dir_entry()

Fix by adding a validation check in ocfs2_validate_inode_block() to ensure
inodes with inline data have i_size <= id_count. This catches the
corruption early during inode read and prevents all downstream code from
operating on invalid data.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When an ocfs2 inode is read, the Linux kernel does not check whether the declared i_size fits within the actual inline data capacity. A corrupted filesystem can record an i_size that greatly exceeds the inline buffer's length, causing the directory iterator to process data beyond the buffer boundary. This out‑of‑bounds access triggers a use‑after‑free when the code later dereferences freed memory during directory entry processing. The result can corrupt kernel state or provide a path to execute arbitrary code with kernel privileges, a classic use‑after‑free and buffer overread flaw.

Affected Systems

The flaw resides in the Linux kernel’s ocfs2 filesystem driver. All kernel releases prior to the commit that adds the i_size validation check are vulnerable, regardless of distribution. The associated CPE string is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. Users who mount a filesystem on a kernel containing ocfs2 and encounter corrupted inodes may be affected.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the exploit requires a corrupted inode that can be introduced by a local attacker or through an attacker who can control the filesystem contents. Triggering the use‑after‑free can lead to kernel privilege escalation. The attack surface is limited to systems that mount or access ocfs2 with potential corruption; it is unlikely to be remotely exploitable over the network unless the device is exposed to an attacker who can manipulate the file system.

Generated by OpenCVE AI on May 6, 2026 at 11:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the ocfs2 inode size validation fix and reboot the system.
  • If a kernel upgrade is not immediately possible, avoid mounting or using ocfs2 filesystems that may contain corrupted inodes; consider migrating the data to a different file system or disabling the ocfs2 module.
  • Run a filesystem consistency check (fsck) on the affected partition to repair or remove corrupted inodes.

Generated by OpenCVE AI on May 6, 2026 at 11:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.
Title ocfs2: validate inline data i_size during inode read
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T07:40:13.634Z

Reserved: 2026-05-01T14:12:55.983Z

Link: CVE-2026-43076

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T10:16:20.590

Modified: 2026-05-06T10:16:20.590

Link: CVE-2026-43076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T11:30:26Z

Weaknesses