CVE-2026-45960 - Vulnerability Details

- hfsplus: return error when node already exists in hfs_bnode_create

Description

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: return error when node already exists in hfs_bnode_create

When hfs_bnode_create() finds that a node is already hashed (which should
not happen in normal operation), it currently returns the existing node
without incrementing its reference count. This causes a reference count
inconsistency that leads to a kernel panic when the node is later freed
in hfs_bnode_put():

kernel BUG at fs/hfsplus/bnode.c:676!
BUG_ON(!atomic_read(&node->refcnt))

This scenario can occur when hfs_bmap_alloc() attempts to allocate a node
that is already in use (e.g., when node 0's bitmap bit is incorrectly
unset), or due to filesystem corruption.

Returning an existing node from a create path is not normal operation.

Fix this by returning ERR_PTR(-EEXIST) instead of the node when it's
already hashed. This properly signals the error condition to callers,
which already check for IS_ERR() return values.

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the Linux kernel's HFS+ filesystem handler: when a node that should be created already exists in the hash table, the function returns the existing node without increasing its reference count. Later, when the node is freed, the kernel detects an empty reference count and triggers a BUG, causing a kernel panic. This flaw results in a complete loss of system availability for the affected machine. The flaw does not provide direct code execution or information disclosure but can be leveraged to crash the host.

Affected Systems

Any Linux system using the mainstream kernel that mounts or manipulates an HFS+ file system is affected. The problem arises when hfs_bmap_alloc() attempts to allocate a node that is already in use or when the file system is corrupted. The fix is available in recent kernel releases where hfs_bnode_create() returns an error pointer (ERR_PTR(-EEXIST)) instead of the stale node.

Risk and Exploitability

The fault is not listed in the CISA KEV catalog and its EPSS score is not available, indicating no known widespread exploitation. Attackers would need to cause or deliver a corrupted HFS+ volume, or have local access to manipulate the file system to trigger the error path. The impact is a denial of service through kernel panic, and the risk is moderate until a patch is applied. Until the fix is deployed, systems with mounted HFS+ file systems should consider disabling the driver or moving resources away from the affected partitions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`634725a92938b0f282b17cec0b007dca77adebd2`	affected	< 1ca428769cb4737a25bd32fb4d1573cc09eeaeef
`634725a92938b0f282b17cec0b007dca77adebd2`	affected	< 507a1de58c21c95ad7c44afccaf1222d1c42246b
`634725a92938b0f282b17cec0b007dca77adebd2`	affected	< 986455135b95f32c1f142068e451098fc751749e
`634725a92938b0f282b17cec0b007dca77adebd2`	affected	< 7b57ada854b32310f224abd61bcfec2d5790ff0a
`634725a92938b0f282b17cec0b007dca77adebd2`	affected	< 51838112d9c22502333c3085ca0c0d691e7093c6
`634725a92938b0f282b17cec0b007dca77adebd2`	affected	< 2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d
`634725a92938b0f282b17cec0b007dca77adebd2`	affected	< 2e9185a42e0e237c74435fd092b7c34537c62156
`634725a92938b0f282b17cec0b007dca77adebd2`	affected	< d8a73cc46c8462a969a7516131feb3096f4c49d3

Linux

affected

Version	Status	Constraints
`2.6.16`	affected	—
`0`	unaffected	< 2.6.16
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release that contains the fix which changes hfs_bnode_create() to return ERR_PTR(-EEXIST) and properly increments reference counts.
If updating the kernel is not immediately possible, unmount all HFS+ volumes and unload the hfsplus kernel module (e.g., ‘sudo rmmod hfsplus’) to prevent the kernel from accessing the vulnerable code path.
Run a full consistency check (fsck.hfsplus) on any HFS+ partitions and correct any corruption before mounting to avoid accidental entry into the error path.

Generated by OpenCVE AI on May 27, 2026 at 18:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef
https://git.kernel.org/stable/c/2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d
https://git.kernel.org/stable/c/2e9185a42e0e237c74435fd092b7c34537c62156
https://git.kernel.org/stable/c/507a1de58c21c95ad7c44afccaf1222d1c42246b
https://git.kernel.org/stable/c/51838112d9c22502333c3085ca0c0d691e7093c6
https://git.kernel.org/stable/c/7b57ada854b32310f224abd61bcfec2d5790ff0a
https://git.kernel.org/stable/c/986455135b95f32c1f142068e451098fc751749e
https://git.kernel.org/stable/c/d8a73cc46c8462a969a7516131feb3096f4c49d3

History

Wed, 27 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400 CWE-476

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: hfsplus: return error when node already exists in hfs_bnode_create When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfs_bnode_put(): kernel BUG at fs/hfsplus/bnode.c:676! BUG_ON(!atomic_read(&node->refcnt)) This scenario can occur when hfs_bmap_alloc() attempts to allocate a node that is already in use (e.g., when node 0's bitmap bit is incorrectly unset), or due to filesystem corruption. Returning an existing node from a create path is not normal operation. Fix this by returning ERR_PTR(-EEXIST) instead of the node when it's already hashed. This properly signals the error condition to callers, which already check for IS_ERR() return values.
Title		hfsplus: return error when node already exists in hfs_bnode_create
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef https://git.kernel.org/stable/c/2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d https://git.kernel.org/stable/c/2e9185a42e0e237c74435fd092b7c34537c62156 https://git.kernel.org/stable/c/507a1de58c21c95ad7c44afccaf1222d1c42246b https://git.kernel.org/stable/c/51838112d9c22502333c3085ca0c0d691e7093c6 https://git.kernel.org/stable/c/7b57ada854b32310f224abd61bcfec2d5790ff0a https://git.kernel.org/stable/c/986455135b95f32c1f142068e451098fc751749e https://git.kernel.org/stable/c/d8a73cc46c8462a969a7516131feb3096f4c49d3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:18:16.851Z

Updated: 2026-05-27T12:18:16.851Z

Reserved: 2026-05-13T15:03:33.089Z

Link: CVE-2026-45960

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:12.650

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45960

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T19:00:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object