CVE-2026-43075
Analyzed Analyzed - Analysis Complete
Buffer Overflow in OCFS2 Filesystem

Publication date: 2026-05-06

Last updated on: 2026-06-01

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-43075
EUVD
EUVD-2026-27560
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.24
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.24 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.14 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.83 (exc)
linux linux_kernel From 2.6.24.1 (inc) to 6.6.136 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ocfs2 filesystem implementation. It is an out-of-bounds write issue in the function ocfs2_write_end_inline, which occurs when writing inline data to an inode block buffer. The problem arises because the function ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine if the write fits within the inline data capacity. On a corrupted filesystem, this id_count can exceed the maximum allowed, causing the write operation to overflow the inode block buffer and write into adjacent freed memory pages.

Although Kernel Address Sanitizer (KASAN) reports this as a use-after-free (UAF) write, the actual bug is an out-of-bounds write past the inode block buffer. The overflow happens during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device.

The issue is fixed by adding an upper bound check on the id_count field in the ocfs2_validate_inode_block() function, preventing writes that exceed the inline data capacity.

Impact Analysis

This vulnerability can lead to memory corruption due to out-of-bounds writes in the ocfs2 filesystem code. Such memory corruption may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges if exploited.

Because the overflow writes into adjacent freed memory pages, it could be leveraged to manipulate kernel memory, leading to privilege escalation or denial of service on systems using the ocfs2 filesystem, especially if the filesystem is corrupted and mounted on a loop device.

Mitigation Strategies

The vulnerability in the Linux kernel ocfs2 filesystem involves an out-of-bounds write caused by trusting a corrupted on-disk id_count field. The fix involves adding an upper bound check for id_count in ocfs2_validate_inode_block alongside the existing i_size check.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix for ocfs2. This will prevent the out-of-bounds write by properly validating the id_count field.

Detection Guidance

This vulnerability involves an out-of-bounds write in the ocfs2 filesystem code within the Linux kernel, specifically triggered on a corrupted ocfs2 filesystem mounted on a loop device.

Detection would typically involve checking for filesystem corruption on ocfs2 mounts and monitoring kernel logs for KASAN (Kernel Address Sanitizer) reports indicating use-after-free or out-of-bounds writes related to ocfs2_write_end_inline.

Suggested commands include:

  • Check mounted filesystems for ocfs2: `mount | grep ocfs2`
  • Run filesystem check on the ocfs2 device (replace /dev/loopX with your device): `fsck.ocfs2 /dev/loopX`
  • Examine kernel logs for KASAN reports: `dmesg | grep -i kasan` or `journalctl -k | grep -i kasan`
  • Monitor for kernel oops or crash messages related to ocfs2: `dmesg | grep ocfs2`
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43075. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart