CVE-2026-53174
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
ovl: keep err zero after successful ovl_cache_get()
ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error.
The syzbot reproducer reaches this through overlay-on-overlay readdir:
getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged()
Only compute PTR_ERR(cache) on the error path.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d25e4b739f8378419f990983f2542160e79738c5 < e7051909a01bfb883bfa78b27514854068ac4b85 | affected |
| Linux | Linux | d25e4b739f8378419f990983f2542160e79738c5 < 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 | affected |
| Linux | Linux | 6.19 | affected |
| Linux | Linux | 0 < 6.19 | unaffected |
| Linux | Linux | 7.0.13 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/e7051909a01bfb883bfa78b27514854068ac4b85
- https://git.kernel.org/stable/c/1711b6ed6953cee5940ca4c3a6e77f1b3798cee2
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.