Skip to main content

Linux Kernel CVE-2026-43075

| EUVDEUVD-2026-27560 HIGH
Out-of-bounds Write (CWE-787)
2026-05-06 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:23 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:01 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF.

The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer.

Call trace (crash path):

vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB

So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it.

AnalysisAI

Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.

Technical ContextAI

This vulnerability affects the ocfs2 (Oracle Cluster File System 2) driver in the Linux kernel, specifically the inline data write path. OCFS2 is a shared-disk cluster filesystem that supports storing small files directly within the inode block structure ('inline data') to optimize storage and performance. The ocfs2_try_to_write_inline_data function trusts the on-disk id_count field without validating it against the physical maximum inline data capacity defined by the inode block size. When processing a corrupted filesystem where id_count exceeds this maximum, subsequent memcpy_from_folio operations in ocfs2_write_end_inline write beyond the allocated inode block buffer into adjacent memory regions. The vulnerability is triggered through the VFS copy_file_range path, specifically during splice fallback operations that invoke generic_perform_write. The fix adds an upper bound check in ocfs2_validate_inode_block to reject invalid id_count values during inode validation, preventing the overflow before any write operations occur. This is a filesystem metadata validation issue where an attacker with the ability to mount a crafted filesystem image can trigger memory corruption.

RemediationAI

Update to patched Linux kernel versions: 6.6.136 or later for 6.6.x branch, 6.12.83 or later for 6.12.x branch, 6.18.24 or later for 6.18.x branch, 6.19.14 or later for 6.19.x branch, or 7.0 for mainline. Patches available from kernel.org stable repositories linked in references. If immediate patching is not feasible, implement these compensating controls: (1) Disable ocfs2 filesystem support by blacklisting the ocfs2 kernel module (modprobe.d blacklist, prevents loading but breaks systems requiring ocfs2 for cluster storage), (2) Restrict mount permissions to prevent unprivileged users from mounting filesystem images via loop devices by removing user_allow_other from fuse options and auditing sudoers/polkit rules for mount privileges (reduces attack surface but may break legitimate workflows requiring user mounts), (3) Implement mandatory access controls (SELinux/AppArmor) to restrict which processes can trigger mount operations and copy_file_range syscalls on untrusted filesystems (requires policy customization, may cause application compatibility issues). Note that disabling ocfs2 is the most reliable mitigation with minimal side effects unless the system actively uses ocfs2 for shared cluster storage. Patch references: https://git.kernel.org/stable/c/0c1af902223b6fcedb60904ca0b551254686c7b9

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy