CVE-2026-43075

Source
https://cve.org/CVERecord?id=CVE-2026-43075
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43075.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-43075
Downstream
Published
2026-05-06T07:40:03.337Z
Modified
2026-07-15T01:49:06.060929416Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
ocfs2: fix out-of-bounds write in ocfs2_write_end_inline
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix out-of-bounds write in ocfs2writeend_inline

KASAN reports a use-after-free write of 4086 bytes in ocfs2writeendinline, called from ocfs2writeendnolock during a copyfilerange splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF.

The root cause is that ocfs2trytowriteinlinedata trusts the on-disk idcount field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer.

Call trace (crash path):

vfscopyfilerange (fs/readwrite.c:1634) dosplicedirect splicedirecttoactor iterfilesplicewrite ocfs2filewriteiter genericperformwrite ocfs2writeend ocfs2writeendnolock (fs/ocfs2/aops.c:1949) ocfs2writeendinline (fs/ocfs2/aops.c:1915) memcpyfrom_folio <-- KASAN: write OOB

So add idcount upper bound check in ocfs2validateinodeblock() to alongside the existing i_size check to fix it.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43075.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
1afc32b952335f665327a1a9001ba1b44bb76fd9
Fixed
68f9cc3bbf2ae501770cea7dc0005fc9a85e48ea
Fixed
2e6a254f9cedf51b75cc20b8b92e2209bfa04c3e
Fixed
22df7d4de9c5cd42edf855a1de25f2106088c4c6
Fixed
e2c9dc6b6e96f3585f2a1062ca3374a52db0938f
Fixed
947f953978b0d9463498d548d0f054f5a75be2e9
Fixed
0c1af902223b6fcedb60904ca0b551254686c7b9
Fixed
69d3c69ade1e4285ab4ca48fe7acee0767e65604
Fixed
7bc5da4842bed3252d26e742213741a4d0ac1b14

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43075.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.24
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.136
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.83
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.24
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.14

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43075.json"