Skip to main content

Linux Kernel EUVDEUVD-2026-39265

| CVE-2026-53174 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xxjh-4wcx-gmq5
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
3.3 LOW

Local low-priv trigger via nested overlay readdir (AV:L/AC:L/PR:L); described impact is a spurious error return, so no real C/I and only minor availability (A:L), unlike the input's C:H/I:H/A:H.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:21 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ovl: keep err zero after successful ovl_cache_get()

ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error.

The syzbot reproducer reaches this through overlay-on-overlay readdir:

getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged()

Only compute PTR_ERR(cache) on the error path.

AnalysisAI

Improper error handling in the Linux kernel's overlayfs (ovl) directory-iteration code causes ovl_iterate_merged() to return a truncated cache pointer as a bogus non-zero error code after a successful ovl_cache_get(). The flaw is reachable by a local user performing a getdents64/readdir on a stacked overlay-on-overlay mount, as demonstrated by a syzbot reproducer; there is no public exploit and it is not actively exploited. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local low-privileged shell
Delivery
Create overlay-on-overlay nested mount
Exploit
Issue getdents64 on outer overlay
Execution
Hit success path in ovl_iterate_merged
Persist
Truncated pointer returned as bogus errno
Impact
Spurious readdir failure / undefined error handling

Vulnerability AssessmentAI

Exploitation Requires local access (CVSS AV:L) with low privileges (PR:L) and no user interaction, plus a specific non-default deployment: an overlay filesystem mounted on top of another overlay filesystem (overlay-on-overlay), because the bug is only reached through recursive ovl_iterate_merged() during readdir of a nested merged mount. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to low real-world priority despite the 7.8 'High' CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local low-privileged user on a host that permits stacked overlay mounts constructs an overlay filesystem layered over another overlay, then issues getdents64/readdir against the outer mount. The success path of ovl_cache_get() causes ovl_iterate_merged() to return a truncated pointer as a non-zero errno, producing a spurious directory-read failure; a syzbot reproducer reaches the path but no weaponized public exploit is known.
Remediation Upstream fix available (commits e7051909a01bfb883bfa78b27514854068ac4b85 and 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2); per the EUVD data the corrected kernel builds are 7.0.13 and 7.1, so upgrade to a distribution kernel that incorporates these stable commits and reboot. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Linux systems running overlayfs with stacked overlay mounts (common in Kubernetes and container environments). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39265 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy