CVE-2026-46299 Overview
CVE-2026-46299 is a Linux kernel vulnerability in the hfsplus filesystem driver. The flaw resides in hfsplus_fill_super(), which invokes hfs_find_init() to initialize a search structure that acquires tree->tree_lock. If the subsequent hfsplus_cat_build_key() call fails, execution jumps to the out_put_root error label without releasing the lock. The cleanup path then frees the tree data structure while the lock is still held, triggering a held-lock-freed warning when lockdep is enabled.
The issue was detected during mount operations against a malformed HFS+ filesystem image. It affects multiple stable kernel branches that include the hfsplus driver.
Critical Impact
A held lock freed during hfsplus mount can corrupt kernel lock state, leading to undefined behavior, potential deadlocks, or kernel instability when mounting crafted HFS+ images.
Affected Products
- Linux kernel mainline (issue confirmed on v6.13-rc1 and verified in latest mainline at disclosure)
- Linux kernel stable branches containing the hfsplus filesystem driver
- Distributions shipping kernels with CONFIG_HFSPLUS_FS=y or the hfsplus module loadable
Discovery Timeline
- 2026-06-08 - CVE-2026-46299 published to the National Vulnerability Database (NVD)
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46299
Vulnerability Analysis
The vulnerability is a locking error in the HFS+ (Hierarchical File System Plus) mount path [CWE-667 class]. During filesystem superblock initialization, hfsplus_fill_super() calls hfs_find_init(&fd) to set up a B-tree search descriptor. This call internally acquires tree->tree_lock to serialize access to the catalog tree.
The function then calls hfsplus_cat_build_key() to construct a catalog lookup key. When key construction fails, for example when hfsplus_asc2uni() returns -ENAMETOOLONG, control transfers to the out_put_root label. That cleanup path frees the tree memory through kfree() without first calling hfs_find_exit(&fd), so the lock embedded inside the freed allocation remains held at the moment of release.
With lockdep enabled, the kernel emits a WARNING: held lock freed! diagnostic. Beyond the warning, freeing memory that still contains a held lock corrupts internal lockdep tracking and can destabilize subsequent kernel operations.
Root Cause
The error-handling path in hfsplus_fill_super() is missing a matching hfs_find_exit(&fd) call before jumping to out_put_root. The init/exit pairing for the search descriptor is asymmetric on the failure branch, so tree->tree_lock is never released before the tree allocation is freed.
Attack Vector
Triggering the bug requires mounting a crafted HFS+ filesystem image that causes hfsplus_cat_build_key() to fail, typically through name conversion errors such as -ENAMETOOLONG from hfsplus_asc2uni(). The local actor must have privileges sufficient to mount a filesystem, which on most distributions is restricted to root or to users with CAP_SYS_ADMIN. Automounters that process removable media may broaden the exposure surface.
The vulnerability is described in prose only. The upstream fix adds the missing hfs_find_exit(&fd) call on the error path so tree->tree_lock is released before the tree structure is freed. Refer to the Kernel Git Commit 041acda and related stable backports for the exact diff.
Detection Methods for CVE-2026-46299
Indicators of Compromise
- Kernel log entries containing WARNING: held lock freed! referencing &tree->tree_lock and hfsplus_find_init.
- Stack traces in dmesg showing debug_check_no_locks_freed invoked from kfree during hfsplus_fill_super.
- Failed mount attempts of HFS+ volumes returning -ENAMETOOLONG from hfsplus_asc2uni() paths.
Detection Strategies
- Enable CONFIG_PROVE_LOCKING and CONFIG_DEBUG_LOCKDEP on test kernels to surface held-lock-freed warnings during HFS+ mount fuzzing.
- Monitor kernel ring buffer output for the hfsplus_fill_super call stack combined with lockdep splats.
- Audit endpoints for unexpected mounts of HFS+ images from removable media or user-supplied disk images.
Monitoring Recommendations
- Forward dmesg and journald kernel facility events to a central log store and alert on lockdep WARNING records.
- Track mount syscalls invoking the hfsplus filesystem type using auditd rules or eBPF-based telemetry.
- Correlate mount-time kernel warnings with the originating process and user to identify abusive automount or local privilege scenarios.
How to Mitigate CVE-2026-46299
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the NVD entry as soon as your distribution publishes updated packages.
- If patching is not immediate, blocklist the hfsplus module via /etc/modprobe.d/ to prevent loading on systems that do not require HFS+ support.
- Restrict mounting of untrusted HFS+ images and disable automatic mounting of removable media on servers and workstations.
Patch Information
The fix adds the missing hfs_find_exit(&fd) call before jumping to the out_put_root error label in hfsplus_fill_super(), ensuring tree->tree_lock is released on the failure path. The corrections are tracked across the following commits: Kernel Git Commit 041acda, Kernel Git Commit 3ca80e3, Kernel Git Commit 90c500e, Kernel Git Commit bfbcce6, and Kernel Git Commit d309d33.
Workarounds
- Blocklist the hfsplus kernel module on systems that do not need to read HFS+ media.
- Disable user-space automounters such as udisks2 from acting on HFS+ partitions until patched kernels are deployed.
- Restrict the CAP_SYS_ADMIN capability and the ability to mount arbitrary filesystem images to administrative users only.
# Configuration example: prevent loading the hfsplus module until patched kernels ship
echo 'install hfsplus /bin/true' | sudo tee /etc/modprobe.d/disable-hfsplus.conf
sudo rmmod hfsplus 2>/dev/null || true
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
