CVE-2026-43075

HIGH EPSS 2.6%
Published May 6, 20261mo ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published May 6, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
2.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥2.6.24.1  –  <6.6.136
linuxlinux_kernel*≥6.7  –  <6.12.83
linuxlinux_kernel*≥6.13  –  <6.18.24
linuxlinux_kernel*≥6.19  –  <6.19.14
linuxlinux_kernel2.6.24any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any
linuxlinux_kernel7.0any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0c1af902223b6fcedb60904ca0b551254686c7b9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/22df7d4de9c5cd42edf855a1de25f2106088c4c6
  • git.kernel.org https://git.kernel.org/stable/c/2e6a254f9cedf51b75cc20b8b92e2209bfa04c3e
  • git.kernel.org https://git.kernel.org/stable/c/68f9cc3bbf2ae501770cea7dc0005fc9a85e48ea
  • git.kernel.org https://git.kernel.org/stable/c/69d3c69ade1e4285ab4ca48fe7acee0767e65604
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7bc5da4842bed3252d26e742213741a4d0ac1b14
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/947f953978b0d9463498d548d0f054f5a75be2e9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e2c9dc6b6e96f3585f2a1062ca3374a52db0938f
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0c1af902223b6fcedb60904ca0b551254686c7b9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/69d3c69ade1e4285ab4ca48fe7acee0767e65604
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/7bc5da4842bed3252d26e742213741a4d0ac1b14
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/947f953978b0d9463498d548d0f054f5a75be2e9
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/e2c9dc6b6e96f3585f2a1062ca3374a52db0938f
    Patch