{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "23193e513d1cd69411469f028d56fd175d4a6b07"
            },
            {
              "fixed": "d012c782abcabe68b5b9e71be58a15e9f9d83dc1"
            },
            {
              "fixed": "bcd46bc261b215b3b12c557a978299eafa02ecdd"
            },
            {
              "fixed": "131c0b573e1b467b7d553e9ff38003f1acd8f5f2"
            },
            {
              "fixed": "37f074e65f24f10f8d8df224a572e4cb9e6faf63"
            },
            {
              "fixed": "c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b"
            },
            {
              "fixed": "cd2d765aa7157f852999842af32148128c735d39"
            },
            {
              "fixed": "77d0295725109d77f5854ef5b58c0d06c08168cc"
            },
            {
              "fixed": "1524af3685b35feac76662cc551cbc37bd14775f"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.24"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.136"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.83"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.24"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43076.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: validate inline data i_size during inode read\n\nWhen reading an inode from disk, ocfs2_validate_inode_block() performs\nvarious sanity checks but does not validate the size of inline data.  If\nthe filesystem is corrupted, an inode's i_size can exceed the actual\ninline data capacity (id_count).\n\nThis causes ocfs2_dir_foreach_blk_id() to iterate beyond the inline data\nbuffer, triggering a use-after-free when accessing directory entries from\nfreed memory.\n\nIn the syzbot report:\n  - i_size was 1099511627576 bytes (~1TB)\n  - Actual inline data capacity (id_count) is typically \u003c256 bytes\n  - A garbage rec_len (54648) caused ctx-\u003epos to jump out of bounds\n  - This triggered a UAF in ocfs2_check_dir_entry()\n\nFix by adding a validation check in ocfs2_validate_inode_block() to ensure\ninodes with inline data have i_size \u003c= id_count.  This catches the\ncorruption early during inode read and prevents all downstream code from\noperating on invalid data.",
  "id": "CVE-2026-43076",
  "modified": "2026-07-15T01:48:57.439198321Z",
  "published": "2026-05-06T07:40:13.634Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/131c0b573e1b467b7d553e9ff38003f1acd8f5f2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1524af3685b35feac76662cc551cbc37bd14775f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/37f074e65f24f10f8d8df224a572e4cb9e6faf63"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/77d0295725109d77f5854ef5b58c0d06c08168cc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcd46bc261b215b3b12c557a978299eafa02ecdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c1de19e891be3bfb3e1d0c7cf07bbb8fb3b77c1b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cd2d765aa7157f852999842af32148128c735d39"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d012c782abcabe68b5b9e71be58a15e9f9d83dc1"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43076.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43076"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ocfs2: validate inline data i_size during inode read"
}