Improper update of reference count in Linux kernel - CVE-2026-45960
Published: May 28, 2026
Vulnerability identifier: #VU132533
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-45960
CWE-ID: CWE-911
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper reference count handling in hfs_bnode_create() when creating a btree node on a corrupted hfsplus filesystem. A local user can trigger node allocation for an already hashed node to cause a denial of service.
This can occur if filesystem corruption causes a node that is already in use to appear available.
How to mitigate CVE-2026-45960
Install security update from vendor's repository.
Sources
- https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef
- https://git.kernel.org/stable/c/2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d
- https://git.kernel.org/stable/c/2e9185a42e0e237c74435fd092b7c34537c62156
- https://git.kernel.org/stable/c/507a1de58c21c95ad7c44afccaf1222d1c42246b
- https://git.kernel.org/stable/c/51838112d9c22502333c3085ca0c0d691e7093c6
- https://git.kernel.org/stable/c/7b57ada854b32310f224abd61bcfec2d5790ff0a
- https://git.kernel.org/stable/c/986455135b95f32c1f142068e451098fc751749e
- https://git.kernel.org/stable/c/d8a73cc46c8462a969a7516131feb3096f4c49d3