CVE-2026-46169
Received Received - Intake
Uninitialized Memory Read in Linux Kernel HFS+ Filesystem

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value by validating catalog record size Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46169
EUVD
EUVD-2026-32796
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's hfsplus filesystem code. Specifically, the function hfs_brec_read() does not properly validate the size of on-disk catalog records before reading them. When mounting a corrupted filesystem, it may read fewer bytes than expected into a structure, leaving a large portion of the structure uninitialized.

This uninitialized data is then copied and used in subsequent functions, such as hfsplus_strcasecmp(), which triggers warnings from the Kernel Memory Sanitizer (KMSAN) because uninitialized memory is being accessed. The root cause is that hfs_brec_read() only checks if the read length is not greater than the buffer size but does not check if it is less than the expected size.

The fix involves introducing a wrapper function hfsplus_brec_read_cat() that validates the record size based on the record type and returns an error if the size does not match expectations. Additional defensive programming measures were added to initialize variables to prevent use of uninitialized data.


How can this vulnerability impact me? :

This vulnerability can lead to the use of uninitialized memory within the kernel when mounting a corrupted HFS+ filesystem. While the description focuses on triggering KMSAN warnings, uninitialized memory usage can potentially lead to unpredictable behavior, including information leaks or system instability.

Since the issue involves reading corrupted filesystem data without proper validation, it might be exploited to cause kernel errors or crashes, which could impact system reliability or security.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by validating the catalog record size when reading HFS+ filesystem records in the Linux kernel.

Immediate mitigation steps include updating the Linux kernel to a version that includes the fix which introduces the hfsplus_brec_read_cat() wrapper. This wrapper validates record sizes and returns an error if the size does not match the expected value, preventing uninitialized data usage.

Additionally, ensure that any corrupted HFS+ filesystems are not mounted until the kernel is updated, as the issue arises when mounting corrupted filesystems.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart