Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-46169
PUBLISHED
More InfoOfficial Page
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
View Known Exploited Vulnerability (KEV) details
Published At-28 May, 2026 | 09:36
Updated At-19 Jun, 2026 | 11:59
Rejected At-
▼CVE Numbering Authority (CNA)
hfsplus: fix uninit-value by validating catalog record size

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value by validating catalog record size Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • fs/hfsplus/bfind.c
  • fs/hfsplus/catalog.c
  • fs/hfsplus/dir.c
  • fs/hfsplus/hfsplus_fs.h
  • fs/hfsplus/super.c
Default Status
unaffected
Versions
Affected
  • From 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 3003dbf62d151d47a6b90f71655292a51a05f244 (git)
  • From 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 8be69532e399eec9d9d990f6958b4ff2383b19b3 (git)
  • From 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 3bc337697c66db2e2a4a94f0509c282c1a014b86 (git)
  • From 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 61a790974ff7e533acbceca06c7d02f22bf96d4d (git)
  • From 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a (git)
  • From 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before a420904450962a562ad053a41a53a27755021b48 (git)
  • From 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before 93e8d613f1a01b6637f387cc93f184cf7fb881d6 (git)
  • From 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 before b6b592275aeff184aa82fcf6abccd833fb71b393 (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • fs/hfsplus/bfind.c
  • fs/hfsplus/catalog.c
  • fs/hfsplus/dir.c
  • fs/hfsplus/hfsplus_fs.h
  • fs/hfsplus/super.c
Default Status
affected
Versions
Affected
  • 2.6.12
Unaffected
  • From 0 before 2.6.12 (semver)
  • From 5.10.259 through 5.10.* (semver)
  • From 5.15.210 through 5.15.* (semver)
  • From 6.1.176 through 6.1.* (semver)
  • From 6.6.140 through 6.6.* (semver)
  • From 6.12.88 through 6.12.* (semver)
  • From 6.18.30 through 6.18.* (semver)
  • From 7.0.7 through 7.0.* (semver)
  • From 7.1 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://git.kernel.org/stable/c/3003dbf62d151d47a6b90f71655292a51a05f244
N/A
https://git.kernel.org/stable/c/8be69532e399eec9d9d990f6958b4ff2383b19b3
N/A
https://git.kernel.org/stable/c/3bc337697c66db2e2a4a94f0509c282c1a014b86
N/A
https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d
N/A
https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a
N/A
https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48
N/A
https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6
N/A
https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393
N/A
Hyperlink: https://git.kernel.org/stable/c/3003dbf62d151d47a6b90f71655292a51a05f244
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/8be69532e399eec9d9d990f6958b4ff2383b19b3
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/3bc337697c66db2e2a4a94f0509c282c1a014b86
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393
Resource: N/A
Details not found