CVE-2026-46299
Gravedad CVSS v3.1:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
08/06/2026
Última modificación:
08/07/2026
Descripción
*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
hfsplus: fix held lock freed on hfsplus_fill_super()<br />
<br />
hfsplus_fill_super() calls hfs_find_init() to initialize a search<br />
structure, which acquires tree->tree_lock. If the subsequent call to<br />
hfsplus_cat_build_key() fails, the function jumps to the out_put_root<br />
error label without releasing the lock. The later cleanup path then<br />
frees the tree data structure with the lock still held, triggering a<br />
held lock freed warning.<br />
<br />
Fix this by adding the missing hfs_find_exit(&fd) call before jumping<br />
to the out_put_root error label. This ensures that tree->tree_lock is<br />
properly released on the error path.<br />
<br />
The bug was originally detected on v6.13-rc1 using an experimental<br />
static analysis tool we are developing, and we have verified that the<br />
issue persists in the latest mainline kernel. The tool is specifically<br />
designed to detect memory management issues. It is currently under active<br />
development and not yet publicly available.<br />
<br />
We confirmed the bug by runtime testing under QEMU with x86_64 defconfig,<br />
lockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we<br />
used GDB to dynamically shrink the max_unistr_len parameter to 1 before<br />
hfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally<br />
return -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and<br />
exercises the faulty error path. The following warning was observed<br />
during mount:<br />
<br />
=========================<br />
WARNING: held lock freed!<br />
7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted<br />
-------------------------<br />
mount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!<br />
ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0<br />
2 locks held by mount/174:<br />
#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40<br />
#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0<br />
<br />
stack backtrace:<br />
CPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)<br />
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014<br />
Call Trace:<br />
<br />
dump_stack_lvl+0x82/0xd0<br />
debug_check_no_locks_freed+0x13a/0x180<br />
kfree+0x16b/0x510<br />
? hfsplus_fill_super+0xcb4/0x18a0<br />
hfsplus_fill_super+0xcb4/0x18a0<br />
? __pfx_hfsplus_fill_super+0x10/0x10<br />
? srso_return_thunk+0x5/0x5f<br />
? bdev_open+0x65f/0xc30<br />
? srso_return_thunk+0x5/0x5f<br />
? pointer+0x4ce/0xbf0<br />
? trace_contention_end+0x11c/0x150<br />
? __pfx_pointer+0x10/0x10<br />
? srso_return_thunk+0x5/0x5f<br />
? bdev_open+0x79b/0xc30<br />
? srso_return_thunk+0x5/0x5f<br />
? srso_return_thunk+0x5/0x5f<br />
? vsnprintf+0x6da/0x1270<br />
? srso_return_thunk+0x5/0x5f<br />
? __mutex_unlock_slowpath+0x157/0x740<br />
? __pfx_vsnprintf+0x10/0x10<br />
? srso_return_thunk+0x5/0x5f<br />
? srso_return_thunk+0x5/0x5f<br />
? mark_held_locks+0x49/0x80<br />
? srso_return_thunk+0x5/0x5f<br />
? srso_return_thunk+0x5/0x5f<br />
? irqentry_exit+0x17b/0x5e0<br />
? trace_irq_disable.constprop.0+0x116/0x150<br />
? __pfx_hfsplus_fill_super+0x10/0x10<br />
? __pfx_hfsplus_fill_super+0x10/0x10<br />
get_tree_bdev_flags+0x302/0x580<br />
? __pfx_get_tree_bdev_flags+0x10/0x10<br />
? vfs_parse_fs_qstr+0x129/0x1a0<br />
? __pfx_vfs_parse_fs_qstr+0x3/0x10<br />
vfs_get_tree+0x89/0x320<br />
fc_mount+0x10/0x1d0<br />
path_mount+0x5c5/0x21c0<br />
? __pfx_path_mount+0x10/0x10<br />
? trace_irq_enable.constprop.0+0x116/0x150<br />
? trace_irq_enable.constprop.0+0x116/0x150<br />
? srso_return_thunk+0x5/0x5f<br />
? srso_return_thunk+0x5/0x5f<br />
? kmem_cache_free+0x307/0x540<br />
? user_path_at+0x51/0x60<br />
? __x64_sys_mount+0x212/0x280<br />
? srso_return_thunk+0x5/0x5f<br />
__x64_sys_mount+0x212/0x280<br />
? __pfx___x64_sys_mount+0x10/0x10<br />
? srso_return_thunk+0x5/0x5f<br />
? trace_irq_enable.constprop.0+0x116/0x150<br />
? srso_return_thunk+0x5/0x5f<br />
do_syscall_64+0x111/0x680<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7ffacad55eae<br />
Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8<br />
RSP: 002b<br />
---truncated---
Impacto
Puntuación base 3.x
7.00
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 3.19 (incluyendo) | 5.10.259 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (incluyendo) | 5.15.210 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (incluyendo) | 6.1.176 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (incluyendo) | 6.6.140 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (incluyendo) | 6.12.88 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.13 (incluyendo) | 6.18.30 (excluyendo) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.19 (incluyendo) | 7.0.7 (excluyendo) |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://git.kernel.org/stable/c/041acda6d9f96006703466449c10c9a69590c8b9
- https://git.kernel.org/stable/c/3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e
- https://git.kernel.org/stable/c/6499c9c8ec437a369e7e221dad91f6122b50759d
- https://git.kernel.org/stable/c/90c500e4fd83fa33c09bc7ee23b6d9cc487ac733
- https://git.kernel.org/stable/c/bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc
- https://git.kernel.org/stable/c/c554ddc87af4d4e4be42f8aed1baec9e1c7588e0
- https://git.kernel.org/stable/c/d309d3308de658d87c42d97e044c89a226327526
- https://git.kernel.org/stable/c/e890656accee4c26d932ea388eb8936a6e22184d



