Bug 2492791 (CVE-2026-53174) - CVE-2026-53174 kernel: ovl: keep err zero after successful ovl_cache_get()
Summary: CVE-2026-53174 kernel: ovl: keep err zero after successful ovl_cache_get()
Keywords:
Status: NEW
Alias: CVE-2026-53174
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-25 10:05 UTC by OSIDB Bzimport
Modified: 2026-06-26 07:38 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-25 10:05:55 UTC
In the Linux kernel, the following vulnerability has been resolved:

ovl: keep err zero after successful ovl_cache_get()

ovl_iterate_merged() stores PTR_ERR(cache) in err before checking
IS_ERR(cache). On success err holds the truncated cache pointer and
can be returned as a bogus non-zero error.

The syzbot reproducer reaches this through overlay-on-overlay readdir:

  getdents64
    iterate_dir(outer overlay file)
      ovl_iterate_merged()
        ovl_cache_get()
          ovl_dir_read_merged()
            ovl_dir_read()
              iterate_dir(inner overlay file)
                ovl_iterate_merged()

Only compute PTR_ERR(cache) on the error path.


Note You need to log in before you can comment on or make changes to this bug.