{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2"
            },
            {
              "fixed": "3003dbf62d151d47a6b90f71655292a51a05f244"
            },
            {
              "fixed": "8be69532e399eec9d9d990f6958b4ff2383b19b3"
            },
            {
              "fixed": "3bc337697c66db2e2a4a94f0509c282c1a014b86"
            },
            {
              "fixed": "61a790974ff7e533acbceca06c7d02f22bf96d4d"
            },
            {
              "fixed": "c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a"
            },
            {
              "fixed": "a420904450962a562ad053a41a53a27755021b48"
            },
            {
              "fixed": "93e8d613f1a01b6637f387cc93f184cf7fb881d6"
            },
            {
              "fixed": "b6b592275aeff184aa82fcf6abccd833fb71b393"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.12"
            },
            {
              "fixed": "5.10.259"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.210"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.176"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.88"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.30"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46169.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix uninit-value by validating catalog record size\n\nSyzbot reported a KMSAN uninit-value issue in hfsplus_strcasecmp(). The\nroot cause is that hfs_brec_read() doesn't validate that the on-disk\nrecord size matches the expected size for the record type being read.\n\nWhen mounting a corrupted filesystem, hfs_brec_read() may read less data\nthan expected. For example, when reading a catalog thread record, the\ndebug output showed:\n\n  HFSPLUS_BREC_READ: rec_len=520, fd-\u003eentrylength=26\n  HFSPLUS_BREC_READ: WARNING - entrylength (26) \u003c rec_len (520) - PARTIAL READ!\n\nhfs_brec_read() only validates that entrylength is not greater than the\nbuffer size, but doesn't check if it's less than expected. It successfully\nreads 26 bytes into a 520-byte structure and returns success, leaving 494\nbytes uninitialized.\n\nThis uninitialized data in tmp.thread.nodeName then gets copied by\nhfsplus_cat_build_key_uni() and used by hfsplus_strcasecmp(), triggering\nthe KMSAN warning when the uninitialized bytes are used as array indices\nin case_fold().\n\nFix by introducing hfsplus_brec_read_cat() wrapper that:\n1. Calls hfs_brec_read() to read the data\n2. Validates the record size based on the type field:\n   - Fixed size for folder and file records\n   - Variable size for thread records (depends on string length)\n3. Returns -EIO if size doesn't match expected\n\nFor thread records, check against HFSPLUS_MIN_THREAD_SZ before reading\nnodeName.length to avoid reading uninitialized data at call sites that\ndon't zero-initialize the entry structure.\n\nAlso initialize the tmp variable in hfsplus_find_cat() as defensive\nprogramming to ensure no uninitialized data even if validation is\nbypassed.",
  "id": "CVE-2026-46169",
  "modified": "2026-07-15T01:49:12.193149979Z",
  "published": "2026-05-28T09:36:24.361Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3003dbf62d151d47a6b90f71655292a51a05f244"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3bc337697c66db2e2a4a94f0509c282c1a014b86"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61a790974ff7e533acbceca06c7d02f22bf96d4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8be69532e399eec9d9d990f6958b4ff2383b19b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/93e8d613f1a01b6637f387cc93f184cf7fb881d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a420904450962a562ad053a41a53a27755021b48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b6b592275aeff184aa82fcf6abccd833fb71b393"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c91bbd6193c70a02c50c22e0fb1f60c3c5bd053a"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46169.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46169"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "summary": "hfsplus: fix uninit-value by validating catalog record size"
}