Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53041— ocfs2: fix listxattr handling when the buffer is full

CVSS 7.1 · High EPSS 0.13% · P3

Affected Version Matrix 18

VendorProductVersion RangeStatus
LinuxLinux936b8834366ec05f2a6993f73afd8348cac9718e< a35a1c2b170b5b578b1b3fecb95694796552af9aaffected
936b8834366ec05f2a6993f73afd8348cac9718e< 2323084c17370304f49c84b354fe7b3edbb264feaffected
936b8834366ec05f2a6993f73afd8348cac9718e< 6f702b00b8124c5d3525f19172934544826a114daffected
936b8834366ec05f2a6993f73afd8348cac9718e< d919b905939eda93393e3572900ff70dbad2b47faffected
936b8834366ec05f2a6993f73afd8348cac9718e< 46e66fefb83811958127bc9ad736983ec629d82baffected
936b8834366ec05f2a6993f73afd8348cac9718e< 2685df8577a38d83b367c8cf52eda9dc286959ffaffected
936b8834366ec05f2a6993f73afd8348cac9718e< 50033ec1350fe68abdc63b950ced7ae57364b77aaffected
936b8834366ec05f2a6993f73afd8348cac9718e< d12f558e6200b3f47dbef9331ed6d115d2410e59affected
… +10 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53041

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
ocfs2: fix listxattr handling when the buffer is full
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix listxattr handling when the buffer is full [BUG] If an OCFS2 inode has both inline and block-based xattrs, listxattr() can return a size larger than the caller's buffer when the inline names consume that buffer exactly. kernel BUG at mm/usercopy.c:102! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102 Call Trace: __check_heap_object+0xe3/0x120 mm/slub.c:8243 check_heap_object mm/usercopy.c:196 [inline] __check_object_size mm/usercopy.c:250 [inline] __check_object_size+0x5c5/0x780 mm/usercopy.c:215 check_object_size include/linux/ucopysize.h:22 [inline] check_copy_size include/linux/ucopysize.h:59 [inline] copy_to_user include/linux/uaccess.h:219 [inline] listxattr+0xb0/0x170 fs/xattr.c:926 filename_listxattr fs/xattr.c:958 [inline] path_listxattrat+0x137/0x320 fs/xattr.c:988 __do_sys_listxattr fs/xattr.c:1001 [inline] __se_sys_listxattr fs/xattr.c:998 [inline] __x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998 ... [CAUSE] Commit 936b8834366e ("ocfs2: Refactor xattr list and remove ocfs2_xattr_handler().") replaced the old per-handler list accounting with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect probe mode. That assumption stops being true once ocfs2_listxattr() finishes the inline-xattr pass. If the inline names fill the caller buffer exactly, the block-xattr pass runs with a non-NULL buffer and a remaining size of zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps counting block names, and returns a positive size larger than the supplied buffer. [FIX] Detect probe mode by testing whether the destination buffer pointer is NULL instead of whether the remaining size is zero. That restores the pre-refactor behavior and matches the OCFS2 getxattr helpers. Once the remaining buffer reaches zero while more names are left, the block-xattr pass now returns -ERANGE instead of reporting a size larger than the allocated list buffer.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会开源的操作系统Linux所使用的内核。 Linux kernel 2.6.28版本存在安全漏洞,该漏洞源于ocfs2文件系统在listxattr处理时边界检查不完善,当内联和基于块的xattr同时存在且内联名称恰好填满调用者缓冲区时,可能导致内核崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 936b8834366ec05f2a6993f73afd8348cac9718e ~ a35a1c2b170b5b578b1b3fecb95694796552af9a -
LinuxLinux 2.6.28 -

II. Public POCs for CVE-2026-53041

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53041

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53041 (8)

Same Patch Batch · Linux · 2026-06-24 · 219 CVEs total

CVE-2026-529829.8 CRITICALnet: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()
CVE-2026-530469.8 CRITICALksmbd: fix use-after-free from async crypto on Qualcomm crypto engine
CVE-2026-529559.8 CRITICALlibceph: Fix potential out-of-bounds access in crush_decode()
CVE-2026-530459.8 CRITICALmemory: tegra124-emc: Fix dll_change check
CVE-2026-530499.8 CRITICALgfs2: add some missing log locking
CVE-2026-530109.8 CRITICALksmbd: fix use-after-free in smb2_open during durable reconnect
CVE-2026-530889.8 CRITICALnet: bcmgenet: fix off-by-one in bcmgenet_put_txcb
CVE-2026-530069.8 CRITICALipv6: fix possible UAF in icmpv6_rcv()
CVE-2026-530559.8 CRITICALcrypto: hisilicon/sec2 - prevent req used-after-free for sec
CVE-2026-530029.8 CRITICALnetfilter: conntrack: remove sprintf usage
CVE-2026-530869.8 CRITICALnet: bcmgenet: fix racing timeout handler
CVE-2026-529149.8 CRITICALbatman-adv: fix fragment reassembly length accounting
CVE-2026-529939.8 CRITICALtipc: fix double-free in tipc_buf_append()
CVE-2026-529319.8 CRITICALbatman-adv: tp_meter: avoid use of uninit sender vars
CVE-2026-529899.8 CRITICALnvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers
CVE-2026-529249.8 CRITICALsctp: purge outqueue on stale COOKIE-ECHO handling
CVE-2026-529869.8 CRITICALnetfilter: nf_conntrack_sip: don't use simple_strtoul
CVE-2026-529999.1 CRITICALnetfilter: nfnetlink_osf: fix out-of-bounds read on option matching
CVE-2026-529589.1 CRITICALlibceph: Fix potential out-of-bounds access in osdmap_decode()
CVE-2026-530439.1 CRITICALocfs2/dlm: validate qr_numregions in dlm_match_regions()

Showing top 20 of 219 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53041

No comments yet


Leave a comment