CVE-2026-46299 - Vulnerability Details

- hfsplus: fix held lock freed on hfsplus_fill_super()

Description

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix held lock freed on hfsplus_fill_super()

hfsplus_fill_super() calls hfs_find_init() to initialize a search
structure, which acquires tree->tree_lock. If the subsequent call to
hfsplus_cat_build_key() fails, the function jumps to the out_put_root
error label without releasing the lock. The later cleanup path then
frees the tree data structure with the lock still held, triggering a
held lock freed warning.

Fix this by adding the missing hfs_find_exit(&fd) call before jumping
to the out_put_root error label. This ensures that tree->tree_lock is
properly released on the error path.

The bug was originally detected on v6.13-rc1 using an experimental
static analysis tool we are developing, and we have verified that the
issue persists in the latest mainline kernel. The tool is specifically
designed to detect memory management issues. It is currently under active
development and not yet publicly available.

We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we
used GDB to dynamically shrink the max_unistr_len parameter to 1 before
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and
exercises the faulty error path. The following warning was observed
during mount:

=========================
WARNING: held lock freed!
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted
-------------------------
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0
2 locks held by mount/174:
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0

stack backtrace:
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x82/0xd0
debug_check_no_locks_freed+0x13a/0x180
kfree+0x16b/0x510
? hfsplus_fill_super+0xcb4/0x18a0
hfsplus_fill_super+0xcb4/0x18a0
? __pfx_hfsplus_fill_super+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x65f/0xc30
? srso_return_thunk+0x5/0x5f
? pointer+0x4ce/0xbf0
? trace_contention_end+0x11c/0x150
? __pfx_pointer+0x10/0x10
? srso_return_thunk+0x5/0x5f
? bdev_open+0x79b/0xc30
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? vsnprintf+0x6da/0x1270
? srso_return_thunk+0x5/0x5f
? __mutex_unlock_slowpath+0x157/0x740
? __pfx_vsnprintf+0x10/0x10
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? mark_held_locks+0x49/0x80
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? irqentry_exit+0x17b/0x5e0
? trace_irq_disable.constprop.0+0x116/0x150
? __pfx_hfsplus_fill_super+0x10/0x10
? __pfx_hfsplus_fill_super+0x10/0x10
get_tree_bdev_flags+0x302/0x580
? __pfx_get_tree_bdev_flags+0x10/0x10
? vfs_parse_fs_qstr+0x129/0x1a0
? __pfx_vfs_parse_fs_qstr+0x3/0x10
vfs_get_tree+0x89/0x320
fc_mount+0x10/0x1d0
path_mount+0x5c5/0x21c0
? __pfx_path_mount+0x10/0x10
? trace_irq_enable.constprop.0+0x116/0x150
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
? srso_return_thunk+0x5/0x5f
? kmem_cache_free+0x307/0x540
? user_path_at+0x51/0x60
? __x64_sys_mount+0x212/0x280
? srso_return_thunk+0x5/0x5f
__x64_sys_mount+0x212/0x280
? __pfx___x64_sys_mount+0x10/0x10
? srso_return_thunk+0x5/0x5f
? trace_irq_enable.constprop.0+0x116/0x150
? srso_return_thunk+0x5/0x5f
do_syscall_64+0x111/0x680
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ffacad55eae
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8
RSP: 002b
---truncated---

Published: 2026-06-08

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A bookkeeping error in the Linux kernel's HFS+ filesystem code causes a lock acquired during mount to remain held when the associated data structure is freed after a failure path. The kernel detects this as a "held lock freed" warning, which can lead to memory corruption and a kernel panic, effectively denying service. No remote code execution or data exfiltration is possible; the impact is limited to stability and availability of the affected system.

Affected Systems

All Linux installations that run the default kernel and have the HFS+ filesystem enabled (CONFIG_HFSPLUS_FS=y). The flaw exists in kernel versions from the 6.13‑rc1 release up through the current mainline until a patch is applied. Official support is provided by the Linux kernel project.

Risk and Exploitability

The CVSS score is not disclosed, and the EPSS score is unavailable, but the flaw is known to trigger a kernel warning and potential panic when an HFS+ filesystem is mounted and an error in key building occurs. Attack requires local privileges to mount an HFS+ filesystem or have the kernel attempt to mount such a filesystem under control of an attacker. The vulnerability is listed as not in the CISA KEV catalog, indicating no widespread known exploitation at this time. Nonetheless, the risk to availability is significant for systems exposing the ability to mount or load HFS+ volumes.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`89ac9b4d3d1a049ae1054f99b1aed81092cd0a82`	affected	< 3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e
`89ac9b4d3d1a049ae1054f99b1aed81092cd0a82`	affected	< 041acda6d9f96006703466449c10c9a69590c8b9
`89ac9b4d3d1a049ae1054f99b1aed81092cd0a82`	affected	< d309d3308de658d87c42d97e044c89a226327526
`89ac9b4d3d1a049ae1054f99b1aed81092cd0a82`	affected	< bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc
`89ac9b4d3d1a049ae1054f99b1aed81092cd0a82`	affected	< 90c500e4fd83fa33c09bc7ee23b6d9cc487ac733

Linux

affected

Version	Status	Constraints
`3.19`	affected	—
`0`	unaffected	< 3.19
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[89ac9b4d3d1a049ae1054f99b1aed81092cd0a82,3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e)`	affected	code_commit	—
`[89ac9b4d3d1a049ae1054f99b1aed81092cd0a82,041acda6d9f96006703466449c10c9a69590c8b9)`	affected	code_commit	—
`[89ac9b4d3d1a049ae1054f99b1aed81092cd0a82,d309d3308de658d87c42d97e044c89a226327526)`	affected	code_commit	—
`[89ac9b4d3d1a049ae1054f99b1aed81092cd0a82,bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc)`	affected	code_commit	—
`[89ac9b4d3d1a049ae1054f99b1aed81092cd0a82,90c500e4fd83fa33c09bc7ee23b6d9cc487ac733)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.19`	affected	semver	—
`[0,3.19)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version containing the commit that adds a missing cleanup call to release the lock before freeing the structure.
If immediate kernel update is not possible, disable the HFS+ filesystem by rebuilding the kernel with CONFIG_HFSPLUS_FS=n or removing the module if it is loadable.
Keep the system’s lockdep debugging enabled to surface similar lock misuse patterns early.
If the system must support HFS+ and cannot update soon, monitor for kernel warnings and investigate any "held lock freed" messages promptly.

Generated by OpenCVE AI on June 8, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/041acda6d9f96006703466449c10c9a69590c8b9
https://git.kernel.org/stable/c/3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e
https://git.kernel.org/stable/c/90c500e4fd83fa33c09bc7ee23b6d9cc487ac733
https://git.kernel.org/stable/c/bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc
https://git.kernel.org/stable/c/d309d3308de658d87c42d97e044c89a226327526

History

Mon, 08 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-145 CWE-480

Mon, 08 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix held lock freed on hfsplus_fill_super() hfsplus_fill_super() calls hfs_find_init() to initialize a search structure, which acquires tree->tree_lock. If the subsequent call to hfsplus_cat_build_key() fails, the function jumps to the out_put_root error label without releasing the lock. The later cleanup path then frees the tree data structure with the lock still held, triggering a held lock freed warning. Fix this by adding the missing hfs_find_exit(&fd) call before jumping to the out_put_root error label. This ensures that tree->tree_lock is properly released on the error path. The bug was originally detected on v6.13-rc1 using an experimental static analysis tool we are developing, and we have verified that the issue persists in the latest mainline kernel. The tool is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available. We confirmed the bug by runtime testing under QEMU with x86_64 defconfig, lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we used GDB to dynamically shrink the max_unistr_len parameter to 1 before hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and exercises the faulty error path. The following warning was observed during mount: ========================= WARNING: held lock freed! 7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted ------------------------- mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there! ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0 2 locks held by mount/174: #0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40 #1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0 stack backtrace: CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 debug_check_no_locks_freed+0x13a/0x180 kfree+0x16b/0x510 ? hfsplus_fill_super+0xcb4/0x18a0 hfsplus_fill_super+0xcb4/0x18a0 ? __pfx_hfsplus_fill_super+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? bdev_open+0x65f/0xc30 ? srso_return_thunk+0x5/0x5f ? pointer+0x4ce/0xbf0 ? trace_contention_end+0x11c/0x150 ? __pfx_pointer+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? bdev_open+0x79b/0xc30 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? vsnprintf+0x6da/0x1270 ? srso_return_thunk+0x5/0x5f ? __mutex_unlock_slowpath+0x157/0x740 ? __pfx_vsnprintf+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? mark_held_locks+0x49/0x80 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? irqentry_exit+0x17b/0x5e0 ? trace_irq_disable.constprop.0+0x116/0x150 ? __pfx_hfsplus_fill_super+0x10/0x10 ? __pfx_hfsplus_fill_super+0x10/0x10 get_tree_bdev_flags+0x302/0x580 ? __pfx_get_tree_bdev_flags+0x10/0x10 ? vfs_parse_fs_qstr+0x129/0x1a0 ? __pfx_vfs_parse_fs_qstr+0x3/0x10 vfs_get_tree+0x89/0x320 fc_mount+0x10/0x1d0 path_mount+0x5c5/0x21c0 ? __pfx_path_mount+0x10/0x10 ? trace_irq_enable.constprop.0+0x116/0x150 ? trace_irq_enable.constprop.0+0x116/0x150 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x307/0x540 ? user_path_at+0x51/0x60 ? __x64_sys_mount+0x212/0x280 ? srso_return_thunk+0x5/0x5f __x64_sys_mount+0x212/0x280 ? __pfx___x64_sys_mount+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? trace_irq_enable.constprop.0+0x116/0x150 ? srso_return_thunk+0x5/0x5f do_syscall_64+0x111/0x680 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ffacad55eae Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8 RSP: 002b ---truncated---
Title		hfsplus: fix held lock freed on hfsplus_fill_super()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/041acda6d9f96006703466449c10c9a69590c8b9 https://git.kernel.org/stable/c/3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e https://git.kernel.org/stable/c/90c500e4fd83fa33c09bc7ee23b6d9cc487ac733 https://git.kernel.org/stable/c/bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc https://git.kernel.org/stable/c/d309d3308de658d87c42d97e044c89a226327526

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-08T15:46:26.670Z

Updated: 2026-06-08T15:46:26.670Z

Reserved: 2026-05-13T15:03:33.111Z

Link: CVE-2026-46299

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-08T17:16:48.393

Modified: 2026-06-08T17:16:48.393

Link: CVE-2026-46299

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-08T19:45:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object