GHSA-W594-5GJ3-F9G6
Vulnerability from github – Published: 2026-05-06 12:30 – Updated: 2026-05-08 15:31In the Linux kernel, the following vulnerability has been resolved:
ocfs2: validate inline data i_size during inode read
When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count).
This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory.
In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry()
Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.
{
"affected": [],
"aliases": [
"CVE-2026-43076"
],
"database_specific": {
"cwe_ids": [
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T10:16:20Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: validate inline data i_size during inode read\n\nWhen reading an inode from disk, ocfs2_validate_inode_block() performs\nvarious sanity checks but does not validate the size of inline data. If\nthe filesystem is corrupted, an inode\u0027s i_size can exceed the actual\ninline data capacity (id_count).\n\nThis causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data\nbuffer, triggering a use-after-free when accessing directory entries from\nfreed memory.\n\nIn the syzbot report:\n - i_size was 1099511627576 bytes (~1TB)\n - Actual inline data capacity (id_count) is typically \u003c256 bytes\n - A garbage rec_len (54648) caused ctx-\u003epos to jump out of bounds\n - This triggered a UAF in ocfs2_check_dir_entry()\n\nFix by adding a validation check in ocfs2_validate_inode_block() to ensure\ninodes with inline data have i_size \u003c= id_count. This catches the\ncorruption early during inode read and prevents all downstream code from\noperating on invalid data.",
"id": "GHSA-w594-5gj3-f9g6",
"modified": "2026-05-08T15:31:15Z",
"published": "2026-05-06T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43076"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.