CVE-2026-53174

HIGH

ovl: keep err zero after successful ovl_cache_get()

Title source: cna
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.

Scores

CVSS v3 7.8
EPSS 0.0013
EPSS Percentile 2.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (9)
linux/Kernel 6.19.0 - 7.0.13linux
Linux/Linux < 6.19
Linux/Linux 6.19
Linux/Linux 7.0.13 - 7.0.*
Linux/Linux 7.1
Linux/Linux d25e4b739f8378419f990983f2542160e79738c5 - 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2
Linux/Linux d25e4b739f8378419f990983f2542160e79738c5 - e7051909a01bfb883bfa78b27514854068ac4b85
linux/linux_kernel 7.1 rc1 (6 CPE variants)
linux/linux_kernel 6.19 - 7.0.13
Published Jun 25, 2026
Tracked Since Jun 25, 2026