{"id":"CVE-2026-43076","summary":"ocfs2: validate inline data i_size during inode read","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: validate inline data i_size during inode read\n\nWhen reading an inode from disk, ocfs2_validate_inode_block() performs\nvarious sanity checks but does not validate the size of inline data.  If\nthe filesystem is corrupted, an inode's i_size can exceed the actual\ninline data capacity (id_count).\n\nThis causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data\nbuffer, triggering a use-after-free when accessing directory entries from\nfreed memory.\n\nIn the syzbot report:\n  - i_size was 1099511627576 bytes (~1TB)\n  - Actual inline data capacity (id_count) is typically \u003c256 bytes\n  - A garbage rec_len (54648) caused ctx-\u003epos to jump out of bounds\n  - This triggered a UAF in ocfs2_check_dir_entry()\n\nFix by adding a validation check in ocfs2_validate_inode_block() to ensure\ninodes with inline data have i_size \u003c= id_count.  This catches the\ncorruption early during inode read and prevents all downstream code from\noperating on invalid data.","modified":"2026-07-15T01:48:57.439198321Z","published":"2026-05-06T07:40:13.634Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43076.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/131c0b573e1b467b7d553e9ff38003f1acd8f5f2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63"},{"type":"WEB","url":"https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bcd46bc261b215b3b12c557a978299eafa02ecdd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d012c782abcabe68b5b9e71be58a15e9f9d83dc1"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43076.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43076"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"23193e513d1cd69411469f028d56fd175d4a6b07"},{"fixed":"d012c782abcabe68b5b9e71be58a15e9f9d83dc1"},{"fixed":"bcd46bc261b215b3b12c557a978299eafa02ecdd"},{"fixed":"131c0b573e1b467b7d553e9ff38003f1acd8f5f2"},{"fixed":"37f074e65f24f10f8d8df224a572e4cb9e6faf63"},{"fixed":"c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b"},{"fixed":"cd2d765aa7157f852999842af32148128c735d39"},{"fixed":"77d0295725109d77f5854ef5b58c0d06c08168cc"},{"fixed":"1524af3685b35feac76662cc551cbc37bd14775f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43076.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.24"},{"fixed":"5.10.258"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.209"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.136"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.83"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.24"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.14"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43076.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}