GHSA-3J7G-P6X3-6QQJ

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: return error when node already exists in hfs_bnode_create

When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfs_bnode_put():

kernel BUG at fs/hfsplus/bnode.c:676!
BUG_ON(!atomic_read(&node->refcnt))

This scenario can occur when hfs_bmap_alloc() attempts to allocate a node that is already in use (e.g., when node 0's bitmap bit is incorrectly unset), or due to filesystem corruption.

Returning an existing node from a create path is not normal operation.

Fix this by returning ERR_PTR(-EEXIST) instead of the node when it's already hashed. This properly signals the error condition to callers, which already check for IS_ERR() return values.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-45960"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:12Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: return error when node already exists in hfs_bnode_create\n\nWhen hfs_bnode_create() finds that a node is already hashed (which should\nnot happen in normal operation), it currently returns the existing node\nwithout incrementing its reference count. This causes a reference count\ninconsistency that leads to a kernel panic when the node is later freed\nin hfs_bnode_put():\n\n    kernel BUG at fs/hfsplus/bnode.c:676!\n    BUG_ON(!atomic_read(\u0026node-\u003erefcnt))\n\nThis scenario can occur when hfs_bmap_alloc() attempts to allocate a node\nthat is already in use (e.g., when node 0\u0027s bitmap bit is incorrectly\nunset), or due to filesystem corruption.\n\nReturning an existing node from a create path is not normal operation.\n\nFix this by returning ERR_PTR(-EEXIST) instead of the node when it\u0027s\nalready hashed. This properly signals the error condition to callers,\nwhich already check for IS_ERR() return values.",
  "id": "GHSA-3j7g-p6x3-6qqj",
  "modified": "2026-05-27T15:33:18Z",
  "published": "2026-05-27T15:33:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45960"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e9185a42e0e237c74435fd092b7c34537c62156"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/507a1de58c21c95ad7c44afccaf1222d1c42246b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51838112d9c22502333c3085ca0c0d691e7093c6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b57ada854b32310f224abd61bcfec2d5790ff0a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/986455135b95f32c1f142068e451098fc751749e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8a73cc46c8462a969a7516131feb3096f4c49d3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.