CVE-2026-43228 - Vulnerability Details

- hfs: Replace BUG_ON with error handling for CNID count checks

Description

In the Linux kernel, the following vulnerability has been resolved:

hfs: Replace BUG_ON with error handling for CNID count checks

In a06ec283e125 next_id, folder_count, and file_count in the super block
info were expanded to 64 bits, and BUG_ONs were added to detect
overflow. This triggered an error reported by syzbot: if the MDB is
corrupted, the BUG_ON is triggered. This patch replaces this mechanism
with proper error handling and resolves the syzbot reported bug.

Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s HFS filesystem contains an integer overflow flaw that triggers when the master directory block of a mounted filesystem becomes corrupted. The overflow occurs in 64‑bit counters for file and folder counts, and the old implementation used a BUG_ON to terminate the kernel when the counters exceeded their limits. The new patch replaces that BUG_ON with graceful error handling, preventing the crash. The weakness is an integer overflow, classified as CWE‑617.

Affected Systems

Any Linux kernel build that includes HFS support but has not incorporated the two referenced commits is susceptible. No explicit version numbers are given in the CVE, so all kernels implementing HFS prior to the patches are considered vulnerable. The vulnerability applies to the general Linux kernel family across vendors.

Risk and Exploitability

The CVSS score for this issue is 5.5 and the EPSS score is less than 1%, indicating a relatively low likelihood of exploitation. It is not featured in the CISA KEV catalog. Attackers could attempt to trigger the bug by a corrupted HFS image; the pathway to exploitation is inferred from the description of the BUG_ON being triggered by an MDB corruption. Depending on the environment, this could be done with local access to mount a malformed filesystem or remotely if the host accepts external disk images. The resulting kernel panic leads to a denial‑of‑service condition that renders the affected machine unusable until reboot.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a06ec283e125e334155fe13005c76c9f484ce759`	affected	< b6536c1ced315fa645576d3a39c6e07f2a472962
`a06ec283e125e334155fe13005c76c9f484ce759`	affected	< b226804532a875c10276168dc55ce752944096bd

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b6536c1ced315fa645576d3a39c6e07f2a472962)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b226804532a875c10276168dc55ce752944096bd)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a revision that includes the patches replacing the BUG_ON checks for the HFS filesystem.
If a kernel upgrade cannot be applied immediately, remove or disable HFS support from the kernel configuration or unload the module so the vulnerable code path cannot run.
Avoid mounting HFS images that have not been verified to be intact or trusted, and eliminate the use of untrusted disk images on the system.

Generated by OpenCVE AI on May 8, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/b226804532a875c10276168dc55ce752944096bd
https://git.kernel.org/stable/c/b6536c1ced315fa645576d3a39c6e07f2a472962
https://lore.kernel.org/linux-cve-announce/2026050655-CVE-2026-43228-4b65@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43228
https://www.cve.org/CVERecord?id=CVE-2026-43228

History

Fri, 08 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-617
References		https://lore.kernel.org/linux-cve-announce/2026050655-CVE-2026-43228-4b65@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43228 https://www.cve.org/CVERecord?id=CVE-2026-43228

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
Title		hfs: Replace BUG_ON with error handling for CNID count checks
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/b226804532a875c10276168dc55ce752944096bd https://git.kernel.org/stable/c/b6536c1ced315fa645576d3a39c6e07f2a472962

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:26.292Z

Updated: 2026-05-11T22:20:28.976Z

Reserved: 2026-05-01T14:12:55.994Z

Link: CVE-2026-43228

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:42.710

Modified: 2026-05-08T21:16:13.633

Link: CVE-2026-43228

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43228 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T23:30:15Z

Weaknesses

CWE-617

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object