ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

CVE	CVE-2026-43075
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-06 10:16:20 UTC
Updated	2026-05-08 13:16:38 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix out-of-bounds write in ocfs2_write_end_inline KASAN reports a use-after-free write of 4086 bytes in ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on a loop device. The actual bug is an out-of-bounds write past the inode block buffer, not a true use-after-free. The write overflows into an adjacent freed page, which KASAN reports as UAF. The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk id_count field to determine whether a write fits in inline data. On a corrupted filesystem, id_count can exceed the physical maximum inline data capacity, causing writes to overflow the inode block buffer. Call trace (crash path): vfs_copy_file_range (fs/read_write.c:1634) do_splice_direct splice_direct_to_actor iter_file_splice_write ocfs2_file_write_iter generic_perform_write ocfs2_write_end ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949) ocfs2_write_end_inline (fs/ocfs2/aops.c:1915) memcpy_from_folio <-- KASAN: write OOB So add id_count upper bound check in ocfs2_validate_inode_block() to alongside the existing i_size check to fix it.

Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.000130000 probability, percentile 0.023990000 (date 2026-05-12)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	DECLARED	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 1afc32b952335f665327a1a9001ba1b44bb76fd9 e2c9dc6b6e96f3585f2a1062ca3374a52db0938f git	Not specified
CNA	Linux	Linux	affected 1afc32b952335f665327a1a9001ba1b44bb76fd9 947f953978b0d9463498d548d0f054f5a75be2e9 git	Not specified
CNA	Linux	Linux	affected 1afc32b952335f665327a1a9001ba1b44bb76fd9 0c1af902223b6fcedb60904ca0b551254686c7b9 git	Not specified
CNA	Linux	Linux	affected 1afc32b952335f665327a1a9001ba1b44bb76fd9 69d3c69ade1e4285ab4ca48fe7acee0767e65604 git	Not specified
CNA	Linux	Linux	affected 1afc32b952335f665327a1a9001ba1b44bb76fd9 7bc5da4842bed3252d26e742213741a4d0ac1b14 git	Not specified
CNA	Linux	Linux	affected 2.6.24	Not specified
CNA	Linux	Linux	unaffected 2.6.24 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.136 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.83 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.24 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 6.19.14 6.19.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/e2c9dc6b6e96f3585f2a1062ca3374a52db0938f	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/7bc5da4842bed3252d26e742213741a4d0ac1b14	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/69d3c69ade1e4285ab4ca48fe7acee0767e65604	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/0c1af902223b6fcedb60904ca0b551254686c7b9	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/947f953978b0d9463498d548d0f054f5a75be2e9	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.