Skip to main content

Linux Kernel CVE-2026-43076

| EUVDEUVD-2026-27563 HIGH
Use After Free (CWE-416)
2026-05-06 Linux GHSA-w594-5gj3-f9g6
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:24 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 11:01 EUVD
CVE Published
May 06, 2026 - 07:40 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: validate inline data i_size during inode read

When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count).

This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory.

In the syzbot report:

  • i_size was 1099511627576 bytes (~1TB)
  • Actual inline data capacity (id_count) is typically <256 bytes
  • A garbage rec_len (54648) caused ctx->pos to jump out of bounds
  • This triggered a UAF in ocfs2_check_dir_entry()

Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.

AnalysisAI

Use-after-free in Linux kernel's OCFS2 filesystem allows local attackers with user interaction to achieve arbitrary code execution, privilege escalation, or denial of service via crafted filesystem images. Affects kernels since initial OCFS2 implementation (2.6.16+) through 6.19.13. Vendor patches available across all supported stable branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) suggests low probability of mass exploitation, though CVSS 7.8 reflects high impact if triggered. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

Technical ContextAI

OCFS2 (Oracle Cluster File System 2) is a shared-disk cluster filesystem in the Linux kernel supporting inline data storage for small files and directories. When OCFS2_INLINE_DATA_FL flag is set, file content is stored directly in the inode structure rather than separate data blocks. The inode's i_size field indicates content size, while id_count defines the inline data buffer capacity (typically <256 bytes). The vulnerability exists in ocfs2_validate_inode_block() which validates inode metadata during read operations but fails to check that i_size does not exceed id_count for inline data inodes. This allows corrupted or maliciously crafted filesystems to specify absurdly large i_size values (syzbot reproducer showed 1099511627576 bytes for a <256 byte buffer). When ocfs2_dir_foreach_blk_id() iterates directory entries using unchecked i_size, it reads beyond the inline data buffer into freed kernel memory. A garbage rec_len field in the out-of-bounds memory causes ctx->pos calculations to jump arbitrarily, triggering use-after-free conditions when ocfs2_check_dir_entry() dereferences freed memory. This represents a classic integer/bounds validation failure in filesystem metadata parsing code.

RemediationAI

Upgrade to patched kernel versions: 6.6.136+ for LTS 6.6 series, 6.12.83+ for 6.12 series, 6.18.24+ for 6.18 series, 6.19.14+ for 6.19 series, or 7.0+ for mainline. Distribution-specific updates available through normal security update channels (apt, yum, dnf, zypper). Consult distribution security advisories for exact package versions. For systems unable to patch immediately, implement compensating controls with awareness of trade-offs: (1) Disable OCFS2 filesystem support by blacklisting the ocfs2 kernel module (echo 'blacklist ocfs2' >> /etc/modprobe.d/disable-ocfs2.conf) - eliminates attack surface entirely but breaks legitimate OCFS2 usage in clustered storage environments; (2) Restrict filesystem mounting privileges using mount namespace isolation, AppArmor/SELinux policies denying mount capabilities to unprivileged users, or fstab configurations limiting mount operations - reduces attack surface but may impact usability in multi-tenant or development environments; (3) Implement filesystem integrity verification (dm-verity, IMA/EVM) for all mounted filesystems to detect corruption before mount - adds operational complexity and performance overhead. Note that generic security hardening (kernel.unprivileged_userns_clone=0, restricting /dev access) provides minimal protection against this specific vector since the vulnerability triggers during legitimate filesystem operations after mount. Verify patch application using kernel version checks (uname -r) and CVE scanning tools.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy