Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-46299

Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
08/06/2026
Última modificación:
08/07/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> hfsplus: fix held lock freed on hfsplus_fill_super()<br /> <br /> hfsplus_fill_super() calls hfs_find_init() to initialize a search<br /> structure, which acquires tree-&gt;tree_lock. If the subsequent call to<br /> hfsplus_cat_build_key() fails, the function jumps to the out_put_root<br /> error label without releasing the lock. The later cleanup path then<br /> frees the tree data structure with the lock still held, triggering a<br /> held lock freed warning.<br /> <br /> Fix this by adding the missing hfs_find_exit(&amp;fd) call before jumping<br /> to the out_put_root error label. This ensures that tree-&gt;tree_lock is<br /> properly released on the error path.<br /> <br /> The bug was originally detected on v6.13-rc1 using an experimental<br /> static analysis tool we are developing, and we have verified that the<br /> issue persists in the latest mainline kernel. The tool is specifically<br /> designed to detect memory management issues. It is currently under active<br /> development and not yet publicly available.<br /> <br /> We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,<br /> lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we<br /> used GDB to dynamically shrink the max_unistr_len parameter to 1 before<br /> hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally<br /> return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and<br /> exercises the faulty error path. The following warning was observed<br /> during mount:<br /> <br /> =========================<br /> WARNING: held lock freed!<br /> 7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted<br /> -------------------------<br /> mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!<br /> ffff888103f920b0 (&amp;tree-&gt;tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0<br /> 2 locks held by mount/174:<br /> #0: ffff888103f960e0 (&amp;type-&gt;s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40<br /> #1: ffff888103f920b0 (&amp;tree-&gt;tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0<br /> <br /> stack backtrace:<br /> CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x82/0xd0<br /> debug_check_no_locks_freed+0x13a/0x180<br /> kfree+0x16b/0x510<br /> ? hfsplus_fill_super+0xcb4/0x18a0<br /> hfsplus_fill_super+0xcb4/0x18a0<br /> ? __pfx_hfsplus_fill_super+0x10/0x10<br /> ? srso_return_thunk+0x5/0x5f<br /> ? bdev_open+0x65f/0xc30<br /> ? srso_return_thunk+0x5/0x5f<br /> ? pointer+0x4ce/0xbf0<br /> ? trace_contention_end+0x11c/0x150<br /> ? __pfx_pointer+0x10/0x10<br /> ? srso_return_thunk+0x5/0x5f<br /> ? bdev_open+0x79b/0xc30<br /> ? srso_return_thunk+0x5/0x5f<br /> ? srso_return_thunk+0x5/0x5f<br /> ? vsnprintf+0x6da/0x1270<br /> ? srso_return_thunk+0x5/0x5f<br /> ? __mutex_unlock_slowpath+0x157/0x740<br /> ? __pfx_vsnprintf+0x10/0x10<br /> ? srso_return_thunk+0x5/0x5f<br /> ? srso_return_thunk+0x5/0x5f<br /> ? mark_held_locks+0x49/0x80<br /> ? srso_return_thunk+0x5/0x5f<br /> ? srso_return_thunk+0x5/0x5f<br /> ? irqentry_exit+0x17b/0x5e0<br /> ? trace_irq_disable.constprop.0+0x116/0x150<br /> ? __pfx_hfsplus_fill_super+0x10/0x10<br /> ? __pfx_hfsplus_fill_super+0x10/0x10<br /> get_tree_bdev_flags+0x302/0x580<br /> ? __pfx_get_tree_bdev_flags+0x10/0x10<br /> ? vfs_parse_fs_qstr+0x129/0x1a0<br /> ? __pfx_vfs_parse_fs_qstr+0x3/0x10<br /> vfs_get_tree+0x89/0x320<br /> fc_mount+0x10/0x1d0<br /> path_mount+0x5c5/0x21c0<br /> ? __pfx_path_mount+0x10/0x10<br /> ? trace_irq_enable.constprop.0+0x116/0x150<br /> ? trace_irq_enable.constprop.0+0x116/0x150<br /> ? srso_return_thunk+0x5/0x5f<br /> ? srso_return_thunk+0x5/0x5f<br /> ? kmem_cache_free+0x307/0x540<br /> ? user_path_at+0x51/0x60<br /> ? __x64_sys_mount+0x212/0x280<br /> ? srso_return_thunk+0x5/0x5f<br /> __x64_sys_mount+0x212/0x280<br /> ? __pfx___x64_sys_mount+0x10/0x10<br /> ? srso_return_thunk+0x5/0x5f<br /> ? trace_irq_enable.constprop.0+0x116/0x150<br /> ? srso_return_thunk+0x5/0x5f<br /> do_syscall_64+0x111/0x680<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> RIP: 0033:0x7ffacad55eae<br /> Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8<br /> RSP: 002b<br /> ---truncated---

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 3.19 (incluyendo) 5.10.259 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.11 (incluyendo) 5.15.210 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.16 (incluyendo) 6.1.176 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.2 (incluyendo) 6.6.140 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (incluyendo) 6.12.88 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (incluyendo) 6.18.30 (excluyendo)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (incluyendo) 7.0.7 (excluyendo)