CVE-2026-43076

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ocfs2: validate inline data i_size during inode read<br /> <br /> When reading an inode from disk, ocfs2_validate_inode_block() performs<br /> various sanity checks but does not validate the size of inline data. If<br /> the filesystem is corrupted, an inode&amp;#39;s i_size can exceed the actual<br /> inline data capacity (id_count).<br /> <br /> This causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data<br /> buffer, triggering a use-after-free when accessing directory entries from<br /> freed memory.<br /> <br /> In the syzbot report:<br /> - i_size was 1099511627576 bytes (~1TB)<br /> - Actual inline data capacity (id_count) is typically pos to jump out of bounds<br /> - This triggered a UAF in ocfs2_check_dir_entry()<br /> <br /> Fix by adding a validation check in ocfs2_validate_inode_block() to ensure<br /> inodes with inline data have i_size