CVE-2026-43075

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: fix out-of-bounds write in ocfs2_write_end_inline<br /> <br /> KASAN reports a use-after-free write of 4086 bytes in<br /> ocfs2_write_end_inline, called from ocfs2_write_end_nolock during a<br /> copy_file_range splice fallback on a corrupted ocfs2 filesystem mounted on<br /> a loop device. The actual bug is an out-of-bounds write past the inode<br /> block buffer, not a true use-after-free. The write overflows into an<br /> adjacent freed page, which KASAN reports as UAF.<br /> <br /> The root cause is that ocfs2_try_to_write_inline_data trusts the on-disk<br /> id_count field to determine whether a write fits in inline data. On a<br /> corrupted filesystem, id_count can exceed the physical maximum inline data<br /> capacity, causing writes to overflow the inode block buffer.<br /> <br /> Call trace (crash path):<br /> <br /> vfs_copy_file_range (fs/read_write.c:1634)<br /> do_splice_direct<br /> splice_direct_to_actor<br /> iter_file_splice_write<br /> ocfs2_file_write_iter<br /> generic_perform_write<br /> ocfs2_write_end<br /> ocfs2_write_end_nolock (fs/ocfs2/aops.c:1949)<br /> ocfs2_write_end_inline (fs/ocfs2/aops.c:1915)<br /> memcpy_from_folio