Skip to main content

Linux Kernel EUVDEUVD-2026-32796

| CVE-2026-46169 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wjh6-3xg7-c2h2
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local mount privileges required (AV:L, PR:L); impact is kernel crash only with no confidentiality or integrity effect; AC:L as no special timing or race conditions are required beyond a crafted image.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 11, 2026 - 13:08 vuln.today
CVSS changed
Jun 11, 2026 - 13:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix uninit-value by validating catalog record size

Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read.

When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed:

HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!

hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized.

This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold().

Fix by introducing hfsplus_brec_read_cat() wrapper that:

  1. Calls hfs_brec_read() to read the data
  2. Validates the record size based on the type field:
  • Fixed size for folder and file records
  • Variable size for thread records (depends on string length)
  1. Returns -EIO if size doesn't match expected

For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure.

Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.

AnalysisAI

Uninitialized memory use in the Linux kernel HFS+ filesystem driver (hfsplus) can crash the kernel when a local user mounts a crafted, corrupted HFS+ image. The flaw in hfs_brec_read() allows a partial catalog record read - as few as 26 bytes into a 520-byte structure - leaving the nodeName field uninitialized; this data then propagates through hfsplus_cat_build_key_uni() into hfsplus_strcasecmp(), where it is used as array indices in case_fold(), triggering a kernel denial of service. No public exploit is identified at time of analysis and EPSS is very low at 0.02% (5th percentile); this is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in the HFS+ (Hierarchical File System Plus) driver within the Linux kernel, specifically in hfs_brec_read() and its callers in the catalog record handling path. The CWE-908 (Use of Uninitialized Resource) root cause is a missing size validation: hfs_brec_read() validates only that fd->entrylength does not exceed the buffer size, but does not check that it is at least as large as the expected on-disk record structure. On a corrupted image, a catalog thread record with rec_len=520 but entrylength=26 causes only 26 bytes to be written, leaving 494 bytes of the structure uninitialized. The uninitialized nodeName string then flows into hfsplus_cat_build_key_uni() and subsequently into hfsplus_strcasecmp(), where bytes are used as indices into the case_fold() lookup table - a pattern surfaced by KMSAN (Kernel Memory Sanitizer) during Syzbot fuzzing. The fix introduces an hfsplus_brec_read_cat() wrapper that validates record size against type-specific expectations (fixed sizes for folder/file records, a minimum threshold for variable-length thread records) and returns -EIO on mismatch. The CPE data (cpe:2.3:o:linux:linux_kernel) confirms the vulnerability spans Linux kernel versions from the 2.6.12 era through the fix commits.

RemediationAI

The primary fix is to update the Linux kernel to a patched stable release: 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc1, with fix commits available at git.kernel.org (see references: https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d and related commits). Linux distribution maintainers (RHEL, Ubuntu, Debian, SUSE) will backport these fixes into distribution kernel packages; consult vendor-specific security advisories for exact package versions. Where immediate kernel update is not feasible, blacklisting the hfsplus module is an effective compensating control with minimal operational impact on non-macOS-interop workloads: add 'blacklist hfsplus' to /etc/modprobe.d/blacklist-hfsplus.conf and regenerate the initramfs - this eliminates the attack surface entirely at the cost of losing HFS+ volume support. On systems where unprivileged mount access is the enabler, restricting mount permissions (e.g., setting kernel.unprivileged_userns_clone=0, or removing CAP_SYS_ADMIN from untrusted users) removes the attack vector without affecting server workloads, though it may affect containerized or desktop environments that rely on unprivileged user namespaces.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

EUVD-2026-32796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy