PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46299 Linux CVE debrief

CVE-2026-46299 is a HIGH severity vulnerability in the Linux kernel. The vulnerability is caused by a held lock being freed in the hfsplus_fill_super() function. This occurs when the function calls hfs_find_init() to initialize a search structure, which acquires tree->tree_lock. If the subsequent call to hfsplus_cat_build_key() fails, the function jumps to the out_put_root error label without releasing the lock. The later cleanup path then frees the tree data structure with the lock still held, triggering a held lock freed warning.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-14
Advisory published
2026-06-08
Advisory updated
2026-06-14

Who should care

Users of the Linux kernel, particularly those using the hfsplus file system, should be aware of this vulnerability. An attacker with local access could potentially exploit this vulnerability to gain elevated privileges.

Technical summary

The vulnerability is caused by a missing call to hfs_find_exit() in the error path of hfsplus_fill_super(). This can be fixed by adding the missing call to hfs_find_exit() before jumping to the out_put_root error label.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the patch from the Linux kernel repository [ref-4](https://git.kernel.org/stable/c/041acda6d9f96006703466449c10c9a69590c8b9) or a similar fix from a trusted source.
  • Use secure coding practices and review code for similar issues.
  • Monitor for and apply future kernel updates that may address this vulnerability.

Evidence notes

The vulnerability was detected using an experimental static analysis tool and verified through runtime testing under QEMU with x86_64 defconfig, lockdep enabled, and CONFIG_HFSPLUS_FS=y.

Official resources

CVE-2026-46299 was published on 2026-06-08T17:16:48.393Z and modified on 2026-06-14T06:16:23.387Z.