CVE-2026-43076
Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: validate inline data i_size during inode read When reading an inode from disk, ocfs2_validate_inode_block() performs various sanity checks but does not validate the size of inline data. If the filesystem is corrupted, an inode's i_size can exceed the actual inline data capacity (id_count). This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data buffer, triggering a use-after-free when accessing directory entries from freed memory. In the syzbot report: - i_size was 1099511627576 bytes (~1TB) - Actual inline data capacity (id_count) is typically <256 bytes - A garbage rec_len (54648) caused ctx->pos to jump out of bounds - This triggered a UAF in ocfs2_check_dir_entry() Fix by adding a validation check in ocfs2_validate_inode_block() to ensure inodes with inline data have i_size <= id_count. This catches the corruption early during inode read and prevents all downstream code from operating on invalid data.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | forky | fixed | 6.19.14-1 |
| debian | sid | fixed | 6.19.14-1 |
| debian | trixie | fixed | 6.12.85-1 |
| linux-kernel | affected | 6.6.136 | |
| linux-kernel | 2.6.24 | affected | |
| linux-kernel | 7.0 | affected | |
References
- https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f
- https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63
- https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc
- https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b
- https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39
- https://www.suse.com/security/cve/CVE-2026-43076.html
- https://security-tracker.debian.org/tracker/CVE-2026-43076
CWEs
CWE-416
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.