CVE-2026-53041
Received Received - Intake
Heap Overflow in OCFS2 Kernel Filesystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix listxattr handling when the buffer is full [BUG] If an OCFS2 inode has both inline and block-based xattrs, listxattr() can return a size larger than the caller's buffer when the inline names consume that buffer exactly. kernel BUG at mm/usercopy.c:102! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102 Call Trace: __check_heap_object+0xe3/0x120 mm/slub.c:8243 check_heap_object mm/usercopy.c:196 [inline] __check_object_size mm/usercopy.c:250 [inline] __check_object_size+0x5c5/0x780 mm/usercopy.c:215 check_object_size include/linux/ucopysize.h:22 [inline] check_copy_size include/linux/ucopysize.h:59 [inline] copy_to_user include/linux/uaccess.h:219 [inline] listxattr+0xb0/0x170 fs/xattr.c:926 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x137/0x320 fs/xattr.c:988 __do_sys_listxattr fs/xattr.c:1001 [inline] __se_sys_listxattr fs/xattr.c:998 [inline] __x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998 ... [CAUSE] Commit 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().") replaced the old per-handler list accounting with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect probe mode. That assumption stops being true once ocfs2_listxattr() finishes the inline-xattr pass. If the inline names fill the caller buffer exactly, the block-xattr pass runs with a non-NULL buffer and a remaining size of zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps counting block names, and returns a positive size larger than the supplied buffer. [FIX] Detect probe mode by testing whether the destination buffer pointer is NULL instead of whether the remaining size is zero. That restores the pre-refactor behavior and matches the OCFS2 getxattr helpers. Once the remaining buffer reaches zero while more names are left, the block-xattr pass now returns -ERANGE instead of reporting a size larger than the allocated list buffer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53041
EUVD
EUVD-2026-38909
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oracle ocfs2 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The vulnerability is fixed by a patch that changes how the OCFS2 filesystem handles extended attribute listing when the buffer is full.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes the fix for this issue.

The fix involves detecting probe mode by testing whether the destination buffer pointer is NULL instead of whether the remaining size is zero, preventing the kernel from returning a size larger than the caller's buffer and avoiding kernel BUGs.

Executive Summary

This vulnerability exists in the Linux kernel's OCFS2 filesystem implementation, specifically in the handling of extended attributes (xattrs) when listing them with the listxattr() function.

If an OCFS2 inode has both inline and block-based xattrs, and the inline xattr names exactly fill the caller's buffer, the function can incorrectly calculate the size needed for the list of xattr names. This happens because the code mistakenly assumes that a zero remaining buffer size means it is in probe mode, which is no longer true after refactoring.

As a result, the function may return a size larger than the actual buffer provided, leading to a kernel BUG triggered at mm/usercopy.c:102, causing an invalid opcode exception and potentially crashing the system.

The fix involved changing the detection of probe mode to check if the destination buffer pointer is NULL rather than if the remaining size is zero, preventing the function from returning an incorrect size and instead returning an error (-ERANGE) when the buffer is too small.

Impact Analysis

This vulnerability can cause a kernel crash (kernel BUG) when listing extended attributes on OCFS2 filesystems under specific conditions.

Such a crash can lead to system instability, denial of service, or unexpected reboots, potentially disrupting services or applications relying on the affected system.

Because it involves kernel-level code, exploitation could affect the entire system's availability and reliability.

Detection Guidance

This vulnerability relates to the OCFS2 filesystem in the Linux kernel and specifically affects the listxattr() system call when handling extended attributes (xattrs) on OCFS2 inodes.

Detection would involve checking for kernel BUG messages related to usercopy operations, especially those mentioning listxattr or OCFS2 xattr handling failures.

You can monitor your system logs (e.g., dmesg or /var/log/kern.log) for kernel BUG messages like:

  • dmesg | grep -i 'kernel BUG at mm/usercopy.c:102'
  • journalctl -k | grep -i 'listxattr'

Additionally, to test if the system is vulnerable, you could attempt to list extended attributes on OCFS2 mounted filesystems using the getfattr or listxattr commands, especially on files known to have both inline and block-based xattrs.

  • getfattr -d /path/to/ocfs2/file
  • listxattr /path/to/ocfs2/file

If these commands cause kernel crashes or BUG messages, it may indicate the presence of the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart