PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43075 Linux CVE debrief

CVE-2026-43075 is a Linux kernel OCFS2 flaw in inline-data write handling. The issue occurs because the filesystem code trusted the on-disk id_count field too far: on a corrupted OCFS2 filesystem, an oversized id_count can make ocfs2_write_end_inline write past the inode block buffer, which KASAN reports as a use-after-free style write into an adjacent freed page. The referenced fix adds an upper-bound check for id_count in ocfs2_validate_inode_block() alongside the existing i_size validation.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-05-20
Advisory published
2026-05-06
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, and administrators running OCFS2 filesystems should prioritize this issue, especially on systems that may mount or process corrupted or untrusted OCFS2 images.

Technical summary

NVD classifies the bug as CWE-787 and assigns CVSS 3.1 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerable path is in ocfs2_write_end_inline(), reached from ocfs2_write_end_nolock during copy_file_range/splice fallback. The root cause is a missing upper-bound check on the on-disk id_count field, allowing inline-data writes to overflow the inode block buffer. The official kernel fix is to validate id_count in ocfs2_validate_inode_block() before the inline write proceeds.

Defensive priority

High for any environment that uses OCFS2, because the flaw can lead to local kernel memory corruption with high confidentiality, integrity, and availability impact once a malformed or corrupted filesystem is processed.

Recommended defensive actions

  • Apply the Linux kernel updates that include the OCFS2 inline-data validation fix referenced in the official stable patch links.
  • Inventory hosts using OCFS2 and prioritize patching systems that may mount loop-backed, imported, or otherwise untrusted filesystem images.
  • Treat corrupted or externally supplied OCFS2 images as high risk and avoid mounting them on production systems until patched.
  • If immediate patching is not possible, reduce exposure by limiting who can mount OCFS2 filesystems and by monitoring for kernel crashes during file copy or splice-related operations.

Evidence notes

This debrief is based only on the official NVD/CVE record and the kernel.org stable patch references supplied in the source corpus. NVD marks the vulnerability as analyzed and lists CWE-787 with a CVSS 3.1 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The source description states that KASAN reported the overwrite as a UAF-style write, but the actual bug is an out-of-bounds write past the inode block buffer caused by trusting the on-disk id_count value too much.

Official resources

CVE published by NVD on 2026-05-06T10:16:20.463Z and last modified on 2026-05-20T23:19:40.187Z. The CVE record points to official Linux kernel stable patch references on kernel.org; no exploit details are included here.