{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: fix listxattr handling when the buffer is full\\n\\n[BUG]\\nIf an OCFS2 inode has both inline and block-based xattrs, listxattr()\\ncan return a size larger than the caller’s buffer when the inline names\\nconsume that buffer exactly.\\n\\nkernel BUG at mm\/usercopy.c:102!\\nOops: invalid opcode: 0000 [#1] SMP KASAN NOPTI\\nRIP: 0010:usercopy_abort+0xb7\/0xd0 mm\/usercopy.c:102\\nCall Trace:\\n __check_heap_object+0xe3\/0x120 mm\/slub.c:8243\\n check_heap_object mm\/usercopy.c:196 [inline]\\n __check_object_size mm\/usercopy.c:250 [inline]\\n __check_object_size+0x5c5\/0x780 mm\/usercopy.c:215\\n check_object_size include\/linux\/ucopysize.h:22 [inline]\\n check_copy_size include\/linux\/ucopysize.h:59 [inline]\\n copy_to_user include\/linux\/uaccess.h:219 [inline]\\n listxattr+0xb0\/0x170 fs\/xattr.c:926\\n filename_listxattr fs\/xattr.c:958 [inline]\\n path_listxattrat+0x137\/0x320 fs\/xattr.c:988\\n __do_sys_listxattr fs\/xattr.c:1001 [inline]\\n __se_sys_listxattr fs\/xattr.c:998 [inline]\\n __x64_sys_listxattr+0x7f\/0xd0 fs\/xattr.c:998\\n …\\n\\n[CAUSE]\\nCommit 936b8834366e (\\”ocfs2: Refactor xattr list and remove\\nocfs2_xattr_handler().\\”) replaced the old per-handler list accounting\\nwith ocfs2_xattr_list_entry(), but it kept using size == 0 to detect\\nprobe mode.\\n\\nThat assumption stops being true once ocfs2_listxattr() finishes the\\ninline-xattr pass. If the inline names fill the caller buffer exactly,\\nthe block-xattr pass runs with a non-NULL buffer and a remaining size of\\nzero. ocfs2_xattr_list_entry() then skips the bounds check, keeps\\ncounting block names, and returns a positive size larger than the\\nsupplied buffer.\\n\\n[FIX]\\nDetect probe mode by testing whether the destination buffer pointer is\\nNULL instead of whether the remaining size is zero.\\n\\nThat restores the pre-refactor behavior and matches the OCFS2 getxattr\\nhelpers. Once the remaining buffer reaches zero while more names are\\nleft, the block-xattr pass now returns -ERANGE instead of reporting a\\nsize larger than the allocated list buffer.”,”published”:”2026-06-24T16:29:47.501Z”,”modified”:”2026-06-28T06:38:23.107Z”,”type”:”cve”,”title”:”ocfs2: fix listxattr handling when the buffer is full”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/a35a1c2b170b5b578b1b3fecb95694796552af9a\\nhttps:\/\/git.kernel.org\/stable\/c\/2323084c17370304f49c84b354fe7b3edbb264fe\\nhttps:\/\/git.kernel.org\/stable\/c\/6f702b00b8124c5d3525f19172934544826a114d\\nhttps:\/\/git.kernel.org\/stable\/c\/d919b905939eda93393e3572900ff70dbad2b47f\\nhttps:\/\/git.kernel.org\/stable\/c\/46e66fefb83811958127bc9ad736983ec629d82b\\nhttps:\/\/git.kernel.org\/stable\/c\/2685df8577a38d83b367c8cf52eda9dc286959ff\\nhttps:\/\/git.kernel.org\/stable\/c\/50033ec1350fe68abdc63b950ced7ae57364b77a\\nhttps:\/\/git.kernel.org\/stable\/c\/d12f558e6200b3f47dbef9331ed6d115d2410e59″,”id”:”CVE-2026-53041″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 936b8834366ec05f2a6993f73afd8348cac9718e\\nLinux Linux 936b8834366ec05f2a6993f73afd8348cac9718e\\nLinux Linux 936b8834366ec05f2a6993f73afd8348cac9718e\\nLinux Linux 936b8834366ec05f2a6993f73afd8348cac9718e\\nLinux Linux 936b8834366ec05f2a6993f73afd8348cac9718e\\nLinux Linux 936b8834366ec05f2a6993f73afd8348cac9718e\\nLinux Linux 936b8834366ec05f2a6993f73afd8348cac9718e\\nLinux Linux 936b8834366ec05f2a6993f73afd8348cac9718e\\nLinux Linux 2.6.28″,”sourceHref”:””,”cvss”:{“score”:7.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”936b8834366ec05f2a6993f73afd8348cac9718e”,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nocfs2: fix listxattr handling when the buffer is full\\n\\n[BUG]\\nIf an OCFS2 inode has both inline and…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,50,12,15,13,7,11,5],"class_list":["post-66589","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-71","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n