CVE-2026-43076

Description

In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Linux Kernel (Mainline versions prior to commit c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b)

Linux Kernel (Stable branches 6.x, 5.x prior to respective backports)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * Conceptual PoC for CVE-2026-43076
 * This demonstrates the missing check in the vulnerable code.
 * In a real scenario, one would craft a disk image with a corrupted
 * OCFS2 inode where i_size > id_count.
 */

struct ocfs2_dinode {
    // ... other fields ...
    __u16 i_suballoc_slot;
    __u16 i_suballoc_bit;
    __u32 i_clusters;
    __u32 i_size;          // Size on disk
    __u32 i_uid;
    __u32 i_gid;
    __u32 i_mode;
    // ... inline data fields ...
    __u16 id_count;        // Actual inline data capacity
    // ...
};

void vulnerable_function(struct ocfs2_dinode *inode) {
    // Vulnerable code path missing this check:
    // if (inode->i_size > inode->id_count) { error(); }

    if (inode->i_mode & S_IFDIR) {
        // This leads to ocfs2_dir_foreach_blk_id
        // iterating beyond id_count based on i_size
        iterate_inline_data(inode, inode->i_size);
    }
}

// Exploitation requires mounting a crafted filesystem image.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43076
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43076
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43076/
[4] VulDB https://vuldb.com/cve/CVE-2026-43076
[5] https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f
[6] https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63
[7] https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc
[8] https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b
[9] https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43076", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T10:16:20.590", "lastModified": "2026-05-08T13:16:38.297", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: validate inline data i_size during inode read\n\nWhen reading an inode from disk, ocfs2_validate_inode_block() performs\nvarious sanity checks but does not validate the size of inline data.  If\nthe filesystem is corrupted, an inode's i_size can exceed the actual\ninline data capacity (id_count).\n\nThis causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data\nbuffer, triggering a use-after-free when accessing directory entries from\nfreed memory.\n\nIn the syzbot report:\n  - i_size was 1099511627576 bytes (~1TB)\n  - Actual inline data capacity (id_count) is typically <256 bytes\n  - A garbage rec_len (54648) caused ctx->pos to jump out of bounds\n  - This triggered a UAF in ocfs2_check_dir_entry()\n\nFix by adding a validation check in ocfs2_validate_inode_block() to ensure\ninodes with inline data have i_size <= id_count.  This catches the\ncorruption early during inode read and prevents all downstream code from\noperating on invalid data."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}