GHSA-WJH6-3XG7-C2H2

Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-28 12:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix uninit-value by validating catalog record size

Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.

When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:

HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!

hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.

This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().

Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected

For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.

Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-46169"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-28T10:16:32Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value by validating catalog record size\n\nSyzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The\nroot cause is that hfs_brec_read() doesn\u0027t validate that the on-disk\nrecord size matches the expected size for the record type being read.\n\nWhen mounting a corrupted filesystem, hfs_brec_read() may read less data\nthan expected. For example, when reading a catalog thread record, the\ndebug output showed:\n\n  HFSPLUS_BREC_READ: rec_len=520, fd-\u003eentrylength=26\n  HFSPLUS_BREC_READ: WARNING - entrylength (26) \u003c rec_len (520) - PARTIAL READ!\n\nhfs_brec_read() only validates that entrylength is not greater than the\nbuffer size, but doesn\u0027t check if it\u0027s less than expected. It successfully\nreads 26 bytes into a 520-byte structure and returns success, leaving 494\nbytes uninitialized.\n\nThis uninitialized data in tmp.thread.nodeName then gets copied by\nhfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering\nthe KMSAN warning when the uninitialized bytes are used as array indices\nin case_fold().\n\nFix by introducing hfsplus_brec_read_cat() wrapper that:\n1. Calls hfs_brec_read() to read the data\n2. Validates the record size based on the type field:\n   - Fixed size for folder and file records\n   - Variable size for thread records (depends on string length)\n3. Returns -EIO if size doesn\u0027t match expected\n\nFor thread records, check against HFSPLUS_MIN_THREAD_SZ before reading\nnodeName.length to avoid reading uninitialized data at call sites that\ndon\u0027t zero-initialize the entry structure.\n\nAlso initialize the tmp variable in hfsplus_find_cat() as defensive\nprogramming to ensure no uninitialized data even if validation is\nbypassed.",
  "id": "GHSA-wjh6-3xg7-c2h2",
  "modified": "2026-05-28T12:30:31Z",
  "published": "2026-05-28T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46169"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.