CVE-2026-53041

Source
https://cve.org/CVERecord?id=CVE-2026-53041
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53041.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53041
Downstream
Related
Published
2026-06-24T16:29:47.501Z
Modified
2026-07-14T09:29:39.966048358Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
ocfs2: fix listxattr handling when the buffer is full
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix listxattr handling when the buffer is full

[BUG] If an OCFS2 inode has both inline and block-based xattrs, listxattr() can return a size larger than the caller's buffer when the inline names consume that buffer exactly.

kernel BUG at mm/usercopy.c:102! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102 Call Trace: __checkheapobject+0xe3/0x120 mm/slub.c:8243 checkheapobject mm/usercopy.c:196 [inline] __checkobjectsize mm/usercopy.c:250 [inline] __checkobjectsize+0x5c5/0x780 mm/usercopy.c:215 checkobjectsize include/linux/ucopysize.h:22 [inline] checkcopysize include/linux/ucopysize.h:59 [inline] copytouser include/linux/uaccess.h:219 [inline] listxattr+0xb0/0x170 fs/xattr.c:926 filenamelistxattr fs/xattr.c:958 [inline] pathlistxattrat+0x137/0x320 fs/xattr.c:988 __dosyslistxattr fs/xattr.c:1001 [inline] __sesyslistxattr fs/xattr.c:998 [inline] __x64syslistxattr+0x7f/0xd0 fs/xattr.c:998 ...

[CAUSE] Commit 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2xattrhandler().") replaced the old per-handler list accounting with ocfs2xattrlist_entry(), but it kept using size == 0 to detect probe mode.

That assumption stops being true once ocfs2listxattr() finishes the inline-xattr pass. If the inline names fill the caller buffer exactly, the block-xattr pass runs with a non-NULL buffer and a remaining size of zero. ocfs2xattrlistentry() then skips the bounds check, keeps counting block names, and returns a positive size larger than the supplied buffer.

[FIX] Detect probe mode by testing whether the destination buffer pointer is NULL instead of whether the remaining size is zero.

That restores the pre-refactor behavior and matches the OCFS2 getxattr helpers. Once the remaining buffer reaches zero while more names are left, the block-xattr pass now returns -ERANGE instead of reporting a size larger than the allocated list buffer.

Database specific
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53041.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
936b8834366ec05f2a6993f73afd8348cac9718e
Fixed
a35a1c2b170b5b578b1b3fecb95694796552af9a
Fixed
2323084c17370304f49c84b354fe7b3edbb264fe
Fixed
6f702b00b8124c5d3525f19172934544826a114d
Fixed
d919b905939eda93393e3572900ff70dbad2b47f
Fixed
46e66fefb83811958127bc9ad736983ec629d82b
Fixed
2685df8577a38d83b367c8cf52eda9dc286959ff
Fixed
50033ec1350fe68abdc63b950ced7ae57364b77a
Fixed
d12f558e6200b3f47dbef9331ed6d115d2410e59

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53041.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.28
Fixed
5.10.258
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.209
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53041.json"