CVE-2026-46169

MEDIUM EPSS 3.0%
Published May 28, 20261mo ago · Modified Jun 19, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published May 28, 2026 1mo ago
Last Modified Jun 19, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value by validating catalog record size Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
3.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-908

Affected Products 9

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <6.6.140
linuxlinux_kernel*≥6.7  –  <6.12.88
linuxlinux_kernel*≥6.13  –  <6.18.30
linuxlinux_kernel*≥6.19  –  <7.0.7
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/3003dbf62d151d47a6b90f71655292a51a05f244
  • git.kernel.org https://git.kernel.org/stable/c/3bc337697c66db2e2a4a94f0509c282c1a014b86
  • git.kernel.org https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8be69532e399eec9d9d990f6958b4ff2383b19b3
  • git.kernel.org https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a
    Patch