CVE-2026-53174
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
In the Linux kernel, a vulnerability was found in the overlayfs mechanism where ovl_iterate_merged() incorrectly stores PTR_ERR(cache) in the err variable before checking if cache is valid. On successful ovl_cache_get(), err holds a truncated pointer that can be returned as a bogus non-zero error, leading to incorrect directory read operations.
Risk Assessment
The organization may face unexpected errors during directory operations on overlayfs mounts, potentially disrupting applications or services relying on this functionality and causing data access issues.
Recommendation
Immediately update the Linux kernel to a version containing the fix that moves PTR_ERR(cache) computation to the error path only, preventing false error codes.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.

