HOMEVULNERABILITIESCVE-2026-46169
NONE

CVE-2026-46169

Published: May 28, 2026· Updated: May 28, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

hfsplus: fix uninit-value by validating catalog record size

Syzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The

root cause is that hfs_brec_read() doesn't validate that the on-disk

record size matches the expected size for the record type being read.

When mounting a corrupted filesystem, hfs_brec_read() may read less data

than expected. For example, when reading a catalog thread record, the

debug output showed:

HFSPLUS_BREC_READ: rec_len=520, fd->entrylength=26

HFSPLUS_BREC_READ: WARNING - entrylength (26) < rec_len (520) - PARTIAL READ!

hfs_brec_read() only validates that entrylength is not greater than the

buffer size, but doesn't check if it's less than expected. It successfully

reads 26 bytes into a 520-byte structure and returns success, leaving 494

bytes uninitialized.

This uninitialized data in tmp.thread.nodeName then gets copied by

hfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering

the KMSAN warning when the uninitialized bytes are used as array indices

in case_fold().

Fix by introducing hfsplus_brec_read_cat() wrapper that:

1. Calls hfs_brec_read() to read the data

2. Validates the record size based on the type field:

- Fixed size for folder and file records

- Variable size for thread records (depends on string length)

3. Returns -EIO if size doesn't match expected

For thread records, check against HFSPLUS_MIN_THREAD_SZ before reading

nodeName.length to avoid reading uninitialized data at call sites that

don't zero-initialize the entry structure.

Also initialize the tmp variable in hfsplus_find_cat() as defensive

programming to ensure no uninitialized data even if validation is

bypassed.

NVD Source

Technical Analysis

CVE-2026-46169 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-46169
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 28, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46169 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.