CVE-2026-45960
Analyzed Analyzed - Analysis Complete
HFSPlus Node Reference Count Bug in Linux Kernel

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: hfsplus: return error when node already exists in hfs_bnode_create When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfs_bnode_put(): kernel BUG at fs/hfsplus/bnode.c:676! BUG_ON(!atomic_read(&node->refcnt)) This scenario can occur when hfs_bmap_alloc() attempts to allocate a node that is already in use (e.g., when node 0's bitmap bit is incorrectly unset), or due to filesystem corruption. Returning an existing node from a create path is not normal operation. Fix this by returning ERR_PTR(-EEXIST) instead of the node when it's already hashed. This properly signals the error condition to callers, which already check for IS_ERR() return values.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45960
EUVD
EUVD-2026-32244
Affected Vendors & Products
Showing 13 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.16
linux linux_kernel 2.6.16
linux linux_kernel 2.6.16
linux linux_kernel 2.6.16
linux linux_kernel 2.6.16
linux linux_kernel 2.6.16
linux linux_kernel From 6.13 (inc) to 6.18.14 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.4 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.202 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 2.6.16.1 (inc) to 5.10.252 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's HFS+ filesystem implementation. Specifically, the function hfs_bnode_create() can return an existing node without increasing its reference count if it finds that the node is already hashed, which should not normally happen. This causes a reference count inconsistency that eventually leads to a kernel panic when the node is freed later.

The problem arises when hfs_bmap_alloc() tries to allocate a node that is already in use, possibly due to filesystem corruption or an incorrect bitmap state. Instead of returning the existing node, the fix changes the function to return an error pointer signaling that the node already exists, preventing the reference count issue.

Impact Analysis

This vulnerability can cause a kernel panic, which is a system crash, leading to denial of service. If triggered, it can cause the Linux system to become unstable or unresponsive, requiring a reboot and potentially causing data loss or disruption of services running on the affected system.

Mitigation Strategies

This vulnerability occurs due to a reference count inconsistency in the hfsplus filesystem code of the Linux kernel, which can lead to a kernel panic.

To mitigate this vulnerability, you should update your Linux kernel to a version where this issue is fixed. The fix involves returning an error pointer (ERR_PTR(-EEXIST)) when a node already exists instead of returning the existing node, preventing the reference count inconsistency.

Additionally, check for filesystem corruption on HFS+ volumes, as corruption can trigger this issue. Running filesystem repair tools on affected volumes may help prevent the problem.

Detection Guidance

This vulnerability manifests as a kernel panic caused by a reference count inconsistency in the hfsplus filesystem code, specifically in hfs_bnode_create and hfs_bnode_put functions.

To detect this vulnerability on your system, you should monitor your system logs for kernel panic messages related to hfsplus, such as:

  • kernel BUG at fs/hfsplus/bnode.c:676!
  • BUG_ON(!atomic_read(&node->refcnt))

You can use commands like the following to check for such messages in your kernel logs:

  • dmesg | grep -i hfsplus
  • journalctl -k | grep -i hfsplus

Additionally, since the issue may be caused by filesystem corruption or incorrect bitmap bits, running filesystem checks on the affected HFS+ partitions may help detect underlying problems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45960. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart