Home

Description

In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-25 | Updated 2026-06-25 | Assigner Linux

Product status

Default status
unaffected

d25e4b739f8378419f990983f2542160e79738c5 (git) before e7051909a01bfb883bfa78b27514854068ac4b85
affected

d25e4b739f8378419f990983f2542160e79738c5 (git) before 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2
affected

Default status
affected

6.19
affected

Any version before 6.19
unaffected

7.0.13 (semver)
unaffected

7.1 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/e7051909a01bfb883bfa78b27514854068ac4b85

git.kernel.org/...c/1711b6ed6953cee5940ca4c3a6e77f1b3798cee2

cve.org (CVE-2026-53174)

nvd.nist.gov (CVE-2026-53174)

Download JSON