MEDIUM 5.5

CVE-2026-46169

CVE-2026-46169 is a memory initialization bug in the Linux kernel's HFS+ filesystem driver. When mounting a corrupted HFS+ filesystem, the kernel may read incomplete catalog records and fail to detect that the data is truncated. This leaves portions of a kernel data structure uninitialized. Later, when the filesystem code attempts to process the incomplete record—such as performing case-insensitive string comparison—it uses the uninitialized memory as array indices, triggering a kernel warning. An unprivileged local attacker with the ability to mount a crafted filesystem image could trigger this condition, potentially causing a denial of service or information disclosure.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-908
Affected products
6 configuration(s)
Published / Modified
2026-05-28 / 2026-06-19

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix uninit-value by validating catalog record size Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The root cause is that hfs_brec_read() doesn't validate that the on-disk record size matches the expected size for the record type being read. When mounting a corrupted filesystem, hfs_brec_read() may read less data than expected. For example, when reading a catalog thread record, the debug output showed: HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26 HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ! hfs_brec_read() only validates that entrylength is not greater than the buffer size, but doesn't check if it's less than expected. It successfully reads 26 bytes into a 520-byte structure and returns success, leaving 494 bytes uninitialized. This uninitialized data in tmp.thread.nodeName then gets copied by hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering the KMSAN warning when the uninitialized bytes are used as array indices in case_fold(). Fix by introducing hfsplus_brec_read_cat() wrapper that: 1. Calls hfs_brec_read() to read the data 2. Validates the record size based on the type field: - Fixed size for folder and file records - Variable size for thread records (depends on string length) 3. Returns -EIO if size doesn't match expected For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading nodeName.length to avoid reading uninitialized data at call sites that don't zero-initialize the entry structure. Also initialize the tmp variable in hfsplus_find_cat() as defensive programming to ensure no uninitialized data even if validation is bypassed.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the HFS+ filesystem mount and catalog lookup code path. Specifically, hfs_brec_read() reads disk records but only validates that the on-disk entrylength does not exceed the buffer size; it does not validate that entrylength meets the minimum expected size for the record type being read. When a corrupted filesystem presents a shortened catalog record (e.g., 26 bytes instead of the expected 520 bytes for a catalog thread record), hfs_brec_read() successfully returns after a partial read, leaving uninitialized kernel memory in the structure. This uninitialized data is subsequently copied by hfsplus_cat_build_key_uni() and passed to hfsplus_strcasecmp(), where it is dereferenced as array indices in case_fold(), triggering KMSAN (Kernel Memory Sanitizer) uninitialized-value warnings. The fix introduces hfsplus_brec_read_cat() as a validation wrapper that checks record size against type-specific expectations before returning to the caller, and initializes the tmp variable in hfsplus_find_cat() as a defensive measure.

Business impact

This vulnerability has limited direct business impact for most deployments. It requires local filesystem access (mounting a crafted HFS+ image) and affects only systems actively using HFS+ (primarily legacy macOS compatibility scenarios). However, in environments where users can mount untrusted filesystems—such as multitenant systems, lab environments, or support scenarios involving user-supplied disk images—a malicious actor could trigger a kernel warning or panic, resulting in temporary service disruption. Information disclosure through uninitialized memory read is also theoretically possible, though constrained by the memory layout and use context.

Affected systems

Any Linux system with the HFS+ filesystem driver compiled and enabled (CONFIG_HFSPLUS). This includes distribution kernels that include HFS+ support for compatibility with Apple devices. Systems that do not use HFS+ (and have the module disabled or not loaded) are not vulnerable. Affected Linux kernel versions prior to the patch release are subject to this issue.

Exploitability

Exploitability is limited to local attackers with the ability to mount filesystems. This requires either direct console access or membership in a group with mount privileges (e.g., wheel, sudoers). The attacker must craft a corrupted HFS+ filesystem image and mount it on the target system. No network vector exists, and no privilege escalation is implied by the vulnerability alone. The condition is triggered reliably if a malformed filesystem is mounted, making it suitable for denial-of-service scenarios but not for remote exploitation.

Remediation

Apply the Linux kernel patch that introduces hfsplus_brec_read_cat() catalog record validation. This patch validates catalog record sizes according to type (fixed sizes for file and folder records, minimum size checks for thread records) and returns -EIO if the on-disk size does not match expectations. Additionally, defensive initialization of the tmp variable in hfsplus_find_cat() prevents uninitialized memory use if validation is somehow bypassed. Verify the specific kernel version in your advisory or release notes for the exact patch version number.

Patch guidance

Monitor your Linux distribution's security advisories for kernel updates that address CVE-2026-46169. The patch is a targeted fix to the HFS+ subsystem and does not require a full kernel rebuild if you use a modular setup. If HFS+ is not in use on your systems, you may disable the module (CONFIG_HFSPLUS=n) to eliminate the attack surface entirely, though patching is still recommended for defense-in-depth. Verify patch application by checking kernel version and reviewing the changelog for the hfsplus_brec_read_cat() function addition.

Detection guidance

Monitor kernel logs for KMSAN warnings related to hfsplus_strcasecmp() or uninitialized-value reports in hfs_brec_read(). Such warnings may indicate an attempt to trigger this vulnerability. On systems with audit enabled, track mount operations involving HFS+ filesystems and cross-reference them with unexpected or untrusted filesystem images. If using intrusion detection, look for patterns of catalog operations on corrupted filesystems. Runtime memory sanitizers (KMSAN) will reliably detect the condition if enabled in your kernel build.

Why prioritize this

Assign this vulnerability to the standard queue rather than critical response. The CVSS 5.5 MEDIUM score reflects local-only attack surface and denial-of-service impact. However, prioritize patching in environments where users regularly mount untrusted filesystems or where HFS+ is actively used for compatibility (e.g., systems handling macOS disk images). Systems with HFS+ disabled or not mounted can be deprioritized but should still receive the patch as part of routine updates.

Risk score, explained

The CVSS 3.1 score of 5.5 (MEDIUM) reflects: (AV:L) Attack Vector Local—requires local filesystem access or mount privilege; (AC:L) Attack Complexity Low—the condition is triggered reliably by a malformed filesystem; (PR:L) Privileges Required Local user privilege to mount; (UI:N) User Interaction None; (S:U) Scope Unchanged; (C:N) Confidentiality None—no direct data breach, though uninitialized memory could theoretically leak kernel pointers; (I:N) Integrity None—no filesystem or data modification; (A:H) Availability High—kernel warning or panic can disrupt service. The score does not include network attack vector and requires local access, preventing a higher rating.

Frequently asked questions

Do I need to patch if I don't use HFS+ filesystems?

Not urgently, but you should still patch as part of routine kernel updates. If HFS+ support is disabled in your kernel configuration (CONFIG_HFSPLUS=n) and the module is not loaded, your system is not vulnerable. However, disabling the module entirely is the only reliable way to guarantee immunity if you do not need HFS+ support.

Can this vulnerability be exploited remotely?

No. The vulnerability requires local filesystem access and the ability to mount a crafted filesystem image. Remote attackers cannot trigger this condition without first obtaining local shell access or mount privileges on the target system.

What happens if this vulnerability is triggered?

Triggering this vulnerability causes KMSAN to report an uninitialized-value warning and potentially triggers a kernel panic or graceful shutdown, resulting in temporary denial of service. In systems without KMSAN enabled, the uninitialized memory may be used as array indices in case folding operations, leading to undefined behavior or information disclosure. A complete kernel crash is possible depending on the content of the uninitialized region.

Does this affect macOS systems?

No. This vulnerability is specific to the Linux kernel's HFS+ implementation. macOS uses a different HFS+ driver and is not affected by this Linux kernel bug.

This analysis is provided for informational purposes only and reflects the current state of publicly available vulnerability information. Readers are strongly advised to verify all patch versions, affected kernel versions, and remediation steps directly against official Linux distribution advisories and kernel.org security notices, as these details are subject to change. CVE-2026-46169 is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. No public exploit code is known to exist at the time of publication. Organizations should conduct their own risk assessment based on their specific HFS+ usage, deployment architecture, and local access controls. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for decisions made based on this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities