HOMEVULNERABILITIESCVE-2026-53041
HIGH

CVE-2026-53041

Published: June 24, 2026· Updated: Jun 28, 2026

7.1
CVSS v3.1
EPSS:0.18%probability of exploitation in 30 daysPercentile:7.4th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

ocfs2: fix listxattr handling when the buffer is full

[BUG]

If an OCFS2 inode has both inline and block-based xattrs, listxattr()

can return a size larger than the caller's buffer when the inline names

consume that buffer exactly.

kernel BUG at mm/usercopy.c:102!

Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI

RIP: 0010:usercopy_abort+0xb7/0xd0 mm/usercopy.c:102

Call Trace:

__check_heap_object+0xe3/0x120 mm/slub.c:8243

check_heap_object mm/usercopy.c:196 [inline]

__check_object_size mm/usercopy.c:250 [inline]

__check_object_size+0x5c5/0x780 mm/usercopy.c:215

check_object_size include/linux/ucopysize.h:22 [inline]

check_copy_size include/linux/ucopysize.h:59 [inline]

copy_to_user include/linux/uaccess.h:219 [inline]

listxattr+0xb0/0x170 fs/xattr.c:926

filename_listxattr fs/xattr.c:958 [inline]

path_listxattrat+0x137/0x320 fs/xattr.c:988

__do_sys_listxattr fs/xattr.c:1001 [inline]

__se_sys_listxattr fs/xattr.c:998 [inline]

__x64_sys_listxattr+0x7f/0xd0 fs/xattr.c:998

...

[CAUSE]

Commit 936b8834366e ("ocfs2: Refactor xattr list and remove

ocfs2_xattr_handler().") replaced the old per-handler list accounting

with ocfs2_xattr_list_entry(), but it kept using size == 0 to detect

probe mode.

That assumption stops being true once ocfs2_listxattr() finishes the

inline-xattr pass. If the inline names fill the caller buffer exactly,

the block-xattr pass runs with a non-NULL buffer and a remaining size of

zero. ocfs2_xattr_list_entry() then skips the bounds check, keeps

counting block names, and returns a positive size larger than the

supplied buffer.

[FIX]

Detect probe mode by testing whether the destination buffer pointer is

NULL instead of whether the remaining size is zero.

That restores the pre-refactor behavior and matches the OCFS2 getxattr

helpers. Once the remaining buffer reaches zero while more names are

left, the block-xattr pass now returns -ERANGE instead of reporting a

size larger than the allocated list buffer.

NVD Source

Technical Analysis

CVE-2026-53041 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), availability disruption (denial of service), with a CVSS base score of 7.1.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (8)

Quick Facts

CVE IDCVE-2026-53041
CVSS Score7.1 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.18%
PublishedJun 24, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53041 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.