CVE-2026-43075
Buffer Overflow in OCFS2 Filesystem
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oracle | ocfs2 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's ocfs2 filesystem implementation. It is an out-of-bounds write issue in the function ocfs2_write_end_inline, which occurs when writing inline data to an inode block buffer. The problem arises because the function ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine if the write fits within the inline data capacity. On a corrupted filesystem, this id_count can exceed the maximum allowed, causing the write operation to overflow the inode block buffer and write into adjacent freed memory pages.
Although Kernel Address Sanitizer (KASAN) reports this as a use-after-free (UAF) write, the actual bug is an out-of-bounds write past the inode block buffer. The overflow happens during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device.
The issue is fixed by adding an upper bound check on the id_count field in the ocfs2_validate_inode_block() function, preventing writes that exceed the inline data capacity.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption due to out-of-bounds writes in the ocfs2 filesystem code. Such memory corruption may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited.
Because the overflow writes into adjacent freed memory pages, it could be leveraged to manipulate kernel memory, leading to privilege escalation or denial of service on systems using the ocfs2 filesystem, especially if the filesystem is corrupted and mounted on a loop device.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in the Linux kernel ocfs2 filesystem involves an out-of-bounds write caused by trusting a corrupted on-disk id_count field. The fix involves adding an upper bound check for id_count in ocfs2_validate_inode_block alongside the existing i_size check.
To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix for ocfs2. This will prevent the out-of-bounds write by properly validating the id_count field.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an out-of-bounds write in the ocfs2 filesystem code within the Linux kernel, specifically triggered on a corrupted ocfs2 filesystem mounted on a loop device.
Detection would typically involve checking for filesystem corruption on ocfs2 mounts and monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating use-after-free or out-of-bounds writes related to ocfs2_write_end_inline.
Suggested commands include:
- Check mounted filesystems for ocfs2: `mount | grep ocfs2`
- Run filesystem check on the ocfs2 device (replace /dev/loopX with your device): `fsck.ocfs2 /dev/loopX`
- Examine kernel logs for KASAN reports: `dmesg | grep -i kasan` or `journalctl -k | grep -i kasan`
- Monitor for kernel oops or crash messages related to ocfs2: `dmesg | grep ocfs2`