Description
In the Linux kernel, the following vulnerability has been resolved:

ocfs2: validate inline data i_size during inode read

When reading an inode from disk, ocfs2_validate_inode_block() performs
various sanity checks but does not validate the size of inline data. If
the filesystem is corrupted, an inode's i_size can exceed the actual
inline data capacity (id_count).

This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data
buffer, triggering a use-after-free when accessing directory entries from
freed memory.

In the syzbot report:
- i_size was 1099511627576 bytes (~1TB)
- Actual inline data capacity (id_count) is typically <256 bytes
- A garbage rec_len (54648) caused ctx->pos to jump out of bounds
- This triggered a UAF in ocfs2_check_dir_entry()

Fix by adding a validation check in ocfs2_validate_inode_block() to ensure
inodes with inline data have i_size <= id_count. This catches the
corruption early during inode read and prevents all downstream code from
operating on invalid data.
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

When an ocfs2 inode is read, the Linux kernel does not verify that the reported i_size fits within the actual inline data capacity. A corrupted filesystem can record an i_size that greatly exceeds the inline buffer length, causing the directory iterator to process data beyond the boundary. This out‑of‑bounds read triggers a use‑after‑free when the code later dereferences freed memory during directory entry processing. The resulting kernel memory corruption may allow an attacker to influence kernel behavior, but the description does not explicitly confirm arbitrary code execution.

Affected Systems

All Linux kernel releases prior to the commit that adds the i_size validation check in the ocfs2 filesystem driver are vulnerable. The issue resides in the ocfs2 filesystem module, which is part of the standard Linux kernel. Systems that load the ocfs2 module or mount ocfs2 filesystems on vulnerable kernels are affected, regardless of distribution.

Risk and Exploitability

CVSS score of 7.8 and the EPSS score of <1% indicate that exploitation is unlikely, and the vulnerability is not listed in the CISA KEV catalog. To exploit the flaw, a corrupted ocfs2 inode must be accessed; based on the description, this could lead to kernel memory corruption and potentially privilege escalation, but the actual exploitability remains theoretical. Remote exploitation without filesystem manipulation is improbable.

Generated by OpenCVE AI on May 21, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the ocfs2 inode size validation patch, addressing the use‑after‑free weakness (CWE-416), and reboot the system.
  • If a kernel upgrade cannot be performed immediately, disable or unload the ocfs2 module to prevent the use of affected filesystems, or avoid mounting those filesystems.
  • Run a filesystem consistency check on any affected ocfs2 partitions using fsck.ocfs2 or a similar utility to repair corrupted inodes or recover data.

Generated by OpenCVE AI on May 21, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 23:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:2.6.24:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 04:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1284
References

Wed, 06 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Wed, 06 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.
Title ocfs2: validate inline data i_size during inode read
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:17:15.367Z

Reserved: 2026-05-01T14:12:55.983Z

Link: CVE-2026-43076

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T10:16:20.590

Modified: 2026-05-20T23:19:25.910

Link: CVE-2026-43076

cve-icon Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43076 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T00:30:43Z

Weaknesses