CVE-2026-53174

ovl: keep err zero after successful ovl_cache_get()

Assigner: Linux
Reserved: 09.06.2026 Published: 25.06.2026 Updated: 25.06.2026

In the Linux kernel, the following vulnerability has been resolved:

ovl: keep err zero after successful ovl_cache_get()

ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error.

The syzbot reproducer reaches this through overlay-on-overlay readdir:

getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged()

Only compute PTR_ERR(cache) on the error path.

Product Status

Vendor	Linux
Product	Linux
Versions	Default: unaffected affected from d25e4b739f8378419f990983f2542160e79738c5 to e7051909a01bfb883bfa78b27514854068ac4b85 (excl.) affected from d25e4b739f8378419f990983f2542160e79738c5 to 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 (excl.)

Vendor

Linux

Product

Linux

Versions

Default: unaffected

affected from d25e4b739f8378419f990983f2542160e79738c5 to e7051909a01bfb883bfa78b27514854068ac4b85 (excl.)
affected from d25e4b739f8378419f990983f2542160e79738c5 to 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 (excl.)

Vendor	Linux
Product	Linux
Versions	Default: affected Version 6.19 is affected unaffected from 0 to 6.19 (excl.) unaffected from 7.0.13 to 7.0.* (incl.) unaffected from 7.1 to * (incl.)

Vendor

Linux

Product

Linux

Versions

Default: affected

Version 6.19 is affected
unaffected from 0 to 6.19 (excl.)
unaffected from 7.0.13 to 7.0.* (incl.)
unaffected from 7.1 to * (incl.)

References

CVE-2026-53174 PUBLISHED

ovl: keep err zero after successful ovl_cache_get()

Product Status

References