CVE-2026-46169 (GCVE-0-2026-46169)

Vulnerability from cvelistv5 – Published: 2026-05-28 09:36 – Updated: 2026-05-28 09:36
VLAI
Title
hfsplus: fix uninit-value by validating catalog record size
Summary
In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value by validating catalog record size Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.
Severity
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 61a790974ff7e533acbceca06c7d02f22bf96d4d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a420904450962a562ad053a41a53a27755021b48 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 93e8d613f1a01b6637f387cc93f184cf7fb881d6 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b6b592275aeff184aa82fcf6abccd833fb71b393 (git)
Create a notification for this product.
Linux Linux Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 6.6.140 , ≤ 6.6.* (semver)
Unaffected: 6.12.88 , ≤ 6.12.* (semver)
Unaffected: 6.18.30 , ≤ 6.18.* (semver)
Unaffected: 7.0.7 , ≤ 7.0.* (semver)
Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/hfsplus/bfind.c",
            "fs/hfsplus/catalog.c",
            "fs/hfsplus/dir.c",
            "fs/hfsplus/hfsplus_fs.h",
            "fs/hfsplus/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "61a790974ff7e533acbceca06c7d02f22bf96d4d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a420904450962a562ad053a41a53a27755021b48",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "93e8d613f1a01b6637f387cc93f184cf7fb881d6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b6b592275aeff184aa82fcf6abccd833fb71b393",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/hfsplus/bfind.c",
            "fs/hfsplus/catalog.c",
            "fs/hfsplus/dir.c",
            "fs/hfsplus/hfsplus_fs.h",
            "fs/hfsplus/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.30",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.7",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value by validating catalog record size\n\nSyzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The\nroot cause is that hfs_brec_read() doesn\u0027t validate that the on-disk\nrecord size matches the expected size for the record type being read.\n\nWhen mounting a corrupted filesystem, hfs_brec_read() may read less data\nthan expected. For example, when reading a catalog thread record, the\ndebug output showed:\n\n  HFSPLUS_BREC_READ: rec_len=520, fd-\u003eentrylength=26\n  HFSPLUS_BREC_READ: WARNING - entrylength (26) \u003c rec_len (520) - PARTIAL READ!\n\nhfs_brec_read() only validates that entrylength is not greater than the\nbuffer size, but doesn\u0027t check if it\u0027s less than expected. It successfully\nreads 26 bytes into a 520-byte structure and returns success, leaving 494\nbytes uninitialized.\n\nThis uninitialized data in tmp.thread.nodeName then gets copied by\nhfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering\nthe KMSAN warning when the uninitialized bytes are used as array indices\nin case_fold().\n\nFix by introducing hfsplus_brec_read_cat() wrapper that:\n1. Calls hfs_brec_read() to read the data\n2. Validates the record size based on the type field:\n   - Fixed size for folder and file records\n   - Variable size for thread records (depends on string length)\n3. Returns -EIO if size doesn\u0027t match expected\n\nFor thread records, check against HFSPLUS_MIN_THREAD_SZ before reading\nnodeName.length to avoid reading uninitialized data at call sites that\ndon\u0027t zero-initialize the entry structure.\n\nAlso initialize the tmp variable in hfsplus_find_cat() as defensive\nprogramming to ensure no uninitialized data even if validation is\nbypassed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T09:36:24.361Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48"
        },
        {
          "url": "https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393"
        }
      ],
      "title": "hfsplus: fix uninit-value by validating catalog record size",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-46169",
    "datePublished": "2026-05-28T09:36:24.361Z",
    "dateReserved": "2026-05-13T15:03:33.102Z",
    "dateUpdated": "2026-05-28T09:36:24.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-46169",
      "date": "2026-05-29",
      "epss": "0.00018",
      "percentile": "0.05164"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-46169\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-28T10:16:32.537\",\"lastModified\":\"2026-05-28T13:44:01.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nhfsplus: fix uninit-value by validating catalog record size\\n\\nSyzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The\\nroot cause is that hfs_brec_read() doesn\u0027t validate that the on-disk\\nrecord size matches the expected size for the record type being read.\\n\\nWhen mounting a corrupted filesystem, hfs_brec_read() may read less data\\nthan expected. For example, when reading a catalog thread record, the\\ndebug output showed:\\n\\n  HFSPLUS_BREC_READ: rec_len=520, fd-\u003eentrylength=26\\n  HFSPLUS_BREC_READ: WARNING - entrylength (26) \u003c rec_len (520) - PARTIAL READ!\\n\\nhfs_brec_read() only validates that entrylength is not greater than the\\nbuffer size, but doesn\u0027t check if it\u0027s less than expected. It successfully\\nreads 26 bytes into a 520-byte structure and returns success, leaving 494\\nbytes uninitialized.\\n\\nThis uninitialized data in tmp.thread.nodeName then gets copied by\\nhfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering\\nthe KMSAN warning when the uninitialized bytes are used as array indices\\nin case_fold().\\n\\nFix by introducing hfsplus_brec_read_cat() wrapper that:\\n1. Calls hfs_brec_read() to read the data\\n2. Validates the record size based on the type field:\\n   - Fixed size for folder and file records\\n   - Variable size for thread records (depends on string length)\\n3. Returns -EIO if size doesn\u0027t match expected\\n\\nFor thread records, check against HFSPLUS_MIN_THREAD_SZ before reading\\nnodeName.length to avoid reading uninitialized data at call sites that\\ndon\u0027t zero-initialize the entry structure.\\n\\nAlso initialize the tmp variable in hfsplus_find_cat() as defensive\\nprogramming to ensure no uninitialized data even if validation is\\nbypassed.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.