HIGH 7.0

CVE-2026-46299: Linux Kernel HFS+ Lock Handling Vulnerability

CVE-2026-46299 is a lock-handling bug in the Linux kernel's HFS+ filesystem driver that can allow a local attacker with moderate privileges to crash the system or potentially escalate privileges. The vulnerability occurs during filesystem mount when the code acquires a lock but fails to release it properly if certain filename validation steps fail. This causes the system to detect a memory leak while a critical lock is still held, triggering a kernel warning and potential system instability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.0 HIGH · CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-667
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix held lock freed on hfsplus_fill_super() hfsplus_fill_super() calls hfs_find_init() to initialize a search structure, which acquires tree->tree_lock. If the subsequent call to hfsplus_cat_build_key() fails, the function jumps to the out_put_root error label without releasing the lock. The later cleanup path then frees the tree data structure with the lock still held, triggering a held lock freed warning. Fix this by adding the missing hfs_find_exit(&fd) call before jumping to the out_put_root error label. This ensures that tree->tree_lock is properly released on the error path. The bug was originally detected on v6.13-rc1 using an experimental static analysis tool we are developing, and we have verified that the issue persists in the latest mainline kernel. The tool is specifically designed to detect memory management issues. It is currently under active development and not yet publicly available. We confirmed the bug by runtime testing under QEMU with x86_64 defconfig, lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we used GDB to dynamically shrink the max_unistr_len parameter to 1 before hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and exercises the faulty error path. The following warning was observed during mount: ========================= WARNING: held lock freed! 7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted ------------------------- mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there! ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0 2 locks held by mount/174: #0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40 #1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0 stack backtrace: CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 debug_check_no_locks_freed+0x13a/0x180 kfree+0x16b/0x510 ? hfsplus_fill_super+0xcb4/0x18a0 hfsplus_fill_super+0xcb4/0x18a0 ? __pfx_hfsplus_fill_super+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? bdev_open+0x65f/0xc30 ? srso_return_thunk+0x5/0x5f ? pointer+0x4ce/0xbf0 ? trace_contention_end+0x11c/0x150 ? __pfx_pointer+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? bdev_open+0x79b/0xc30 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? vsnprintf+0x6da/0x1270 ? srso_return_thunk+0x5/0x5f ? __mutex_unlock_slowpath+0x157/0x740 ? __pfx_vsnprintf+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? mark_held_locks+0x49/0x80 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? irqentry_exit+0x17b/0x5e0 ? trace_irq_disable.constprop.0+0x116/0x150 ? __pfx_hfsplus_fill_super+0x10/0x10 ? __pfx_hfsplus_fill_super+0x10/0x10 get_tree_bdev_flags+0x302/0x580 ? __pfx_get_tree_bdev_flags+0x10/0x10 ? vfs_parse_fs_qstr+0x129/0x1a0 ? __pfx_vfs_parse_fs_qstr+0x3/0x10 vfs_get_tree+0x89/0x320 fc_mount+0x10/0x1d0 path_mount+0x5c5/0x21c0 ? __pfx_path_mount+0x10/0x10 ? trace_irq_enable.constprop.0+0x116/0x150 ? trace_irq_enable.constprop.0+0x116/0x150 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x307/0x540 ? user_path_at+0x51/0x60 ? __x64_sys_mount+0x212/0x280 ? srso_return_thunk+0x5/0x5f __x64_sys_mount+0x212/0x280 ? __pfx___x64_sys_mount+0x10/0x10 ? srso_return_thunk+0x5/0x5f ? trace_irq_enable.constprop.0+0x116/0x150 ? srso_return_thunk+0x5/0x5f do_syscall_64+0x111/0x680 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ffacad55eae Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8 RSP: 002b ---truncated---

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in hfsplus_fill_super(), which initializes a search structure via hfs_find_init() to acquire tree->tree_lock. If hfsplus_cat_build_key() fails—specifically when hfsplus_asc2uni() returns -ENAMETOOLONG due to name string length validation—the error path jumps to out_put_root without calling hfs_find_exit(&fd) to release the lock. The kernel's lockdep mechanism detects this held lock on a freed memory region, triggering a 'held lock freed' warning. The fix is straightforward: add hfs_find_exit(&fd) before the problematic jump to ensure lock release on all error paths.

Business impact

This vulnerability primarily affects systems running HFS+ filesystems on Linux, which is increasingly rare in enterprise environments but may be present in systems managing macOS-formatted storage devices or legacy systems. The impact is local denial of service through filesystem mount failure or potential privilege escalation from an unprivileged user to kernel-level access. Organizations with HFS+ workloads face availability risk if an attacker can trigger the faulty code path, and the HIGH severity score reflects the potential for privilege escalation.

Affected systems

The vulnerability affects the Linux kernel across all versions through at least the current mainline branch (verified on v6.13-rc1 and later). Any Linux system with CONFIG_HFSPLUS_FS enabled is vulnerable, particularly those mounting HFS+ partitions. The vulnerability is triggered during mount time, so persistent exposure requires either regularly mounting untrusted HFS+ media or misconfigured automatic mounting.

Exploitability

Exploitability is moderate. An attacker requires local access and sufficient privilege to attempt filesystem mount operations (typically unprivileged users can attempt this via unprivileged namespaces or with explicit mount capability). Triggering the bug requires either crafting a malformed HFS+ filesystem image with pathologically long filenames or using a debugging tool to modify kernel state. The CVSS vector (AV:L/AC:H/PR:L/UI:N) correctly reflects that exploitation requires local access and high complexity (AC:H), though the consequences—privilege escalation and system compromise—are severe.

Remediation

Apply the kernel patch adding hfs_find_exit(&fd) before the out_put_root label in hfsplus_fill_super(). For immediate mitigation, disable HFS+ support by setting CONFIG_HFSPLUS_FS=n at kernel build time if the filesystem is not required. Alternatively, implement filesystem mount restrictions or AppArmor/SELinux policies to prevent untrusted HFS+ media from being mounted. Monitor for subsequent upstream kernel releases containing this fix.

Patch guidance

Check your Linux kernel version and configuration. If CONFIG_HFSPLUS_FS is enabled, prioritize patching when the fix is released upstream (typically in the next stable kernel series after mainline merge). Verify the patch against the official Linux kernel repository commit that resolves this issue. Backports to active stable branches (6.1.x, 6.6.x, 6.9.x, etc.) should be expected within weeks of upstream merge. Apply patches during your standard kernel update cycle, prioritizing systems that actively mount HFS+ filesystems.

Detection guidance

Monitor kernel logs for 'held lock freed' warnings related to hfsplus_fill_super or hfs_find_init during filesystem mount operations. Lockdep must be enabled (CONFIG_LOCKDEP=y) to detect this warning. Kernel audit logs will show mount attempts on HFS+ filesystems; correlate these with system stability issues. Note that the vulnerability is triggered at mount time, so detection requires observing the mount operation itself—there is no runtime signal during normal filesystem use.

Why prioritize this

While the CVSS score is HIGH (7.0) due to potential privilege escalation and system compromise, the practical urgency depends on your HFS+ usage. Organizations without HFS+ support enabled can defer this patch. Those mounting HFS+ filesystems, particularly from untrusted sources, should prioritize patching. The attack complexity being high (AC:H) and the requirement for local access limit the threat profile for most enterprise environments, but the privilege escalation vector warrants attention in multi-user or container environments where unprivileged users can mount filesystems.

Risk score, explained

The CVSS 3.1 score of 7.0 (HIGH) reflects a local attack vector with unprivileged requirements, high attack complexity, and severe impact (confidentiality, integrity, and availability all HIGH). The score appropriately captures that exploitation is not trivial but the consequences are kernel-level compromise. The absence from the CISA KEV catalog suggests limited real-world exploitation detected to date, reducing temporal risk. For organizations with HFS+ disabled or unused, the practical risk is lower; for those actively using HFS+, the score accurately represents the severity.

Frequently asked questions

Why does this only affect HFS+ filesystems? Can other Linux filesystems be vulnerable to the same issue?

HFS+ is a filesystem type with specific name validation rules implemented in hfsplus_asc2uni(). The vulnerability is specific to the code path in hfsplus_fill_super(). Other Linux filesystems have different mount initialization logic and would need separate vulnerability analysis. However, this issue highlights the importance of auditing lock acquisition/release patterns across all filesystem drivers.

Do I need to worry about this if I don't mount HFS+ filesystems?

No. If CONFIG_HFSPLUS_FS is disabled at kernel compile time, or if you never mount HFS+ partitions, this vulnerability is not relevant to your systems. Check your kernel configuration (cat /boot/config-$(uname -r) | grep HFSPLUS_FS) to confirm.

Can this vulnerability be triggered remotely or only locally?

Only locally. The vulnerability requires local filesystem mount capability, making it inaccessible to remote attackers. This limits the threat in typical server environments but remains relevant in multi-user systems, container environments, or systems where untrusted users have mount access.

What are signs that my system has been affected by this vulnerability?

You would observe kernel warnings in dmesg or systemd journal mentioning 'held lock freed' and hfsplus_fill_super during HFS+ mount attempts. The system may fail to mount the filesystem or experience subsequent instability. This only occurs if the specific error condition (invalid filename length) is triggered during mount, which is relatively rare without a malformed filesystem.

This analysis is provided for informational purposes and reflects the CVE description and publicly available kernel development information as of the publication date. Patch version numbers, exact release dates, and deployment guidance should be verified against official Linux kernel advisories and your distribution's security bulletin. The vulnerability requires local access and is only relevant to systems with HFS+ filesystem support enabled. Always test patches in non-production environments before deployment. SEC.co makes no guarantee regarding the completeness or accuracy of remediation guidance and recommends consulting official kernel security resources for definitive information. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).