Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local low-priv trigger via nested overlay readdir (AV:L/AC:L/PR:L); described impact is a spurious error return, so no real C/I and only minor availability (A:L), unlike the input's C:H/I:H/A:H.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
ovl: keep err zero after successful ovl_cache_get()
ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error.
The syzbot reproducer reaches this through overlay-on-overlay readdir:
getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged()
Only compute PTR_ERR(cache) on the error path.
AnalysisAI
Improper error handling in the Linux kernel's overlayfs (ovl) directory-iteration code causes ovl_iterate_merged() to return a truncated cache pointer as a bogus non-zero error code after a successful ovl_cache_get(). The flaw is reachable by a local user performing a getdents64/readdir on a stacked overlay-on-overlay mount, as demonstrated by a syzbot reproducer; there is no public exploit and it is not actively exploited. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local access (CVSS AV:L) with low privileges (PR:L) and no user interaction, plus a specific non-default deployment: an overlay filesystem mounted on top of another overlay filesystem (overlay-on-overlay), because the bug is only reached through recursive ovl_iterate_merged() during readdir of a nested merged mount. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to low real-world priority despite the 7.8 'High' CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local low-privileged user on a host that permits stacked overlay mounts constructs an overlay filesystem layered over another overlay, then issues getdents64/readdir against the outer mount. The success path of ovl_cache_get() causes ovl_iterate_merged() to return a truncated pointer as a non-zero errno, producing a spurious directory-read failure; a syzbot reproducer reaches the path but no weaponized public exploit is known. |
| Remediation | Upstream fix available (commits e7051909a01bfb883bfa78b27514854068ac4b85 and 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2); per the EUVD data the corrected kernel builds are 7.0.13 and 7.1, so upgrade to a distribution kernel that incorporates these stable commits and reboot. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory Linux systems running overlayfs with stacked overlay mounts (common in Kubernetes and container environments). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39265
GHSA-xxjh-4wcx-gmq5