Bug 2482018 (CVE-2026-45960) - CVE-2026-45960 kernel: hfsplus: return error when node already exists in hfs_bnode_create
Summary: CVE-2026-45960 kernel: hfsplus: return error when node already exists in hfs_...
Keywords:
Status: NEW
Alias: CVE-2026-45960
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:07 UTC by OSIDB Bzimport
Modified: 2026-05-27 23:21 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:07:18 UTC
In the Linux kernel, the following vulnerability has been resolved:

hfsplus: return error when node already exists in hfs_bnode_create

When hfs_bnode_create() finds that a node is already hashed (which should
not happen in normal operation), it currently returns the existing node
without incrementing its reference count. This causes a reference count
inconsistency that leads to a kernel panic when the node is later freed
in hfs_bnode_put():

    kernel BUG at fs/hfsplus/bnode.c:676!
    BUG_ON(!atomic_read(&node->refcnt))

This scenario can occur when hfs_bmap_alloc() attempts to allocate a node
that is already in use (e.g., when node 0's bitmap bit is incorrectly
unset), or due to filesystem corruption.

Returning an existing node from a create path is not normal operation.

Fix this by returning ERR_PTR(-EEXIST) instead of the node when it's
already hashed. This properly signals the error condition to callers,
which already check for IS_ERR() return values.


Note You need to log in before you can comment on or make changes to this bug.