Description
In the Linux kernel, the following vulnerability has been resolved:

ovl: keep err zero after successful ovl_cache_get()

ovl_iterate_merged() stores PTR_ERR(cache) in err before checking
IS_ERR(cache). On success err holds the truncated cache pointer and
can be returned as a bogus non-zero error.

The syzbot reproducer reaches this through overlay-on-overlay readdir:

getdents64
iterate_dir(outer overlay file)
ovl_iterate_merged()
ovl_cache_get()
ovl_dir_read_merged()
ovl_dir_read()
iterate_dir(inner overlay file)
ovl_iterate_merged()

Only compute PTR_ERR(cache) on the error path.
Published: 2026-06-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel contains a bug where the overlay filesystem implementation mistakenly keeps a non‑zero error code after a successful cache lookup. The function ovl_iterate_merged stores the result of PTR_ERR(cache) in an error variable before verifying the pointer is actually an error, so a successful call can caller. Based on the description, it is inferred that this can cause processes performing directory reads over overlay mounts to incorrectly interpret normal operation as a failure, potentially leading to application crashes or denial of service. The description does not explicitly state a confidentiality or integrity breach; it is inferred that the vulnerability does not directly compromise those aspects.

Affected Systems

Linux kernel installations that include the overlayfs module and are running a version prior to the applied fix are affected. The specific vendor is the Linux kernel project, but no version range is listed in the data, so all kernels that still contain the unpatched code are considered vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity risk, while the EPSS score of less than 1% (about 0.0016) indicates a low but nonzero probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker would need to interact with a system that mounts overlay filesystems and performs directory reads. The bug does not provide remote code execution or privilege escalation, so the attack surface is confined to the user with sufficient privileges to mount and access overlays. If an attacker could control overlay mounts or perform many readdir operations, they might induce repeated failures, potentially leading to application crashes or denial of service in applications that do not handle the erroneous error codes.

Generated by OpenCVE AI on June 28, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that incorporates the fixed ovl_iterate_merged error handling logic.
  • If kernel upgrade is not feasible, consider disabling or uninstalling overlayfs support to prevent the flawed error reporting from influencing normal operations.
  • Verify overlay filesystem behavior in your environment, ensuring readdir calls do not return unexpected errors, and modify application error handling to tolerate non‑fatal directory read failures.

Generated by OpenCVE AI on June 28, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8489-1 Linux kernel (OEM) vulnerabilities
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-170

Fri, 26 Jun 2026 12:15:00 +0000


Thu, 25 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-170

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.
Title ovl: keep err zero after successful ovl_cache_get()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:47.801Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53174

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53174 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses
  • CWE-253

    Incorrect Check of Function Return Value