PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43076 Linux CVE debrief

CVE-2026-43076 is a Linux kernel OCFS2 inode-validation bug. When the kernel reads an inode from disk, ocfs2_validate_inode_block() did not verify that inline data i_size stayed within the actual inline data capacity (id_count). On a corrupted filesystem, that mismatch can let directory iteration walk past the inline buffer and reach freed memory, resulting in a use-after-free in the directory-entry validation path.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-06
Original CVE updated
2026-05-20
Advisory published
2026-05-06
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distro security teams, storage and filesystem administrators, and anyone running systems that may mount or inspect OCFS2 filesystems should care. The issue is in kernel-side filesystem parsing, so exposure depends on whether a system processes a corrupted or malicious OCFS2 filesystem image.

Technical summary

According to the NVD record and linked kernel patch references, the flaw is in OCFS2 inode validation during disk read. The missing check allowed an inode's i_size to exceed inline data capacity (id_count). That invalid state could then propagate into ocfs2_dir_foreach_blk_id(), which may iterate beyond the inline data buffer. The reported failure mode was a garbage rec_len advancing ctx->pos out of bounds and triggering a use-after-free in ocfs2_check_dir_entry(). The fix is to reject inline-data inodes whose i_size is larger than id_count during ocfs2_validate_inode_block().

Defensive priority

High. The CVSS vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating substantial impact once a vulnerable system processes a problematic filesystem object, but with local/user-interaction constraints. Patch and reboot or otherwise deploy the fixed kernel builds as soon as practical on systems that use OCFS2.

Recommended defensive actions

  • Apply the vendor kernel updates or stable patches linked in the NVD record for affected branches.
  • Prioritize systems that mount, repair, scan, or otherwise process OCFS2 filesystems.
  • If OCFS2 is not needed on a fleet, consider disabling the module or reducing exposure to untrusted OCFS2 images.
  • Track distro security advisories for backported fixes corresponding to the referenced upstream stable commits.
  • Validate that fixed kernels are deployed across all supported release branches listed by NVD before decommissioning any compensating controls.

Evidence notes

NVD lists CVE-2026-43076 as analyzed, with a Linux kernel CPE and CWE-416. The NVD description states that ocfs2_validate_inode_block() lacked validation of inline-data i_size versus id_count, and that the fix adds a check to reject invalid inodes during inode read. NVD also links multiple kernel.org stable patch references, which support remediation guidance. Affected-version ranges in the NVD record are the authoritative version bounds used here.

Official resources

CVE published by NVD on 2026-05-06T10:16:20.590Z and last modified on 2026-05-20T23:19:25.910Z. The source corpus ties remediation to multiple Linux kernel stable patch references. Affected-version ranges in the NVD record include Linux 2.6