Skip to main content

Linux Kernel EUVDEUVD-2026-32244

| CVE-2026-45960 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-3j7g-p6x3-6qqj
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector with low privileges reflects auto-mount scenarios; availability-only impact matches kernel panic with no data exposure or modification.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 02:41 vuln.today
CVSS changed
Jun 16, 2026 - 02:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: return error when node already exists in hfs_bnode_create

When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfs_bnode_put():

kernel BUG at fs/hfsplus/bnode.c:676! BUG_ON(!atomic_read(&node->refcnt))

This scenario can occur when hfs_bmap_alloc() attempts to allocate a node that is already in use (e.g., when node 0's bitmap bit is incorrectly unset), or due to filesystem corruption.

Returning an existing node from a create path is not normal operation.

Fix this by returning ERR_PTR(-EEXIST) instead of the node when it's already hashed. This properly signals the error condition to callers, which already check for IS_ERR() return values.

AnalysisAI

Kernel panic via reference count corruption in the Linux kernel's HFS+ filesystem driver (hfsplus) allows a local attacker with low privileges to crash the system. The function hfs_bnode_create() returns an already-hashed B-tree node without incrementing its reference count when it unexpectedly encounters a node that should not yet exist - a condition triggered by filesystem corruption or a logic error in hfs_bmap_alloc(). When hfs_bnode_put() later decrements the reference count to zero and attempts cleanup, the kernel triggers a fatal BUG_ON(!atomic_read(&node->refcnt)) assertion at bnode.c:676, causing an immediate kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), consistent with the local-only attack vector and niche trigger conditions, but the availability impact is total for affected systems.

Technical ContextAI

The vulnerability resides in the hfsplus (HFS+/Mac OS Extended) filesystem driver within the Linux kernel, specifically in fs/hfsplus/bnode.c. HFS+ organizes metadata in B-tree structures; hfs_bnode_create() allocates new B-tree nodes and caches them in an in-kernel hash table. When the function detects a collision - a node already present in the hash - it returns the cached node pointer but omits the necessary reference count increment (equivalent to kref_get()). The reference counting invariant is then violated: the caller believes it owns a reference it was never granted, and when hfs_bnode_put() decrements the count it can reach zero prematurely, triggering the BUG_ON kernel assertion. The trigger scenario involves hfs_bmap_alloc() attempting to allocate a node whose bitmap bit is incorrectly marked as free despite the node being in active use - a state that arises from HFS+ filesystem corruption. No formal CWE is assigned, but the root cause is consistent with CWE-911 (Improper Update of Reference Count). CPE data (cpe:2.3:o:linux:linux_kernel) confirms all Linux kernel versions from 2.6.16 through the respective stable-series patch points are affected.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or mainline 7.0. Individual fix commits are available at the kernel stable tree (e.g., https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef, https://git.kernel.org/stable/c/2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d, and six additional branch-specific commits referenced in the NVD entry). For systems that cannot be immediately patched, blacklisting the hfsplus kernel module eliminates the attack surface entirely: add 'install hfsplus /bin/true' to /etc/modprobe.d/disable-hfsplus.conf and run 'dracut -f' or 'update-initramfs -u' to persist the change - the trade-off is loss of all HFS+ volume mount capability (affects macOS-formatted external drives and disk images). Additionally, disabling auto-mount behavior in desktop environments or configuring udev rules to block HFS+ volumes reduces the risk from low-privileged users inserting crafted media, at the cost of requiring manual administrative mount operations.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy