Linux kernel overlay readdir bug: bogus non-zero error from PTR_ERR
CVE-2026-53174 Published on June 25, 2026
ovl: keep err zero after successful ovl_cache_get()
In the Linux kernel, the following vulnerability has been resolved:
ovl: keep err zero after successful ovl_cache_get()
ovl_iterate_merged() stores PTR_ERR(cache) in err before checking
IS_ERR(cache). On success err holds the truncated cache pointer and
can be returned as a bogus non-zero error.
The syzbot reproducer reaches this through overlay-on-overlay readdir:
getdents64
iterate_dir(outer overlay file)
ovl_iterate_merged()
ovl_cache_get()
ovl_dir_read_merged()
ovl_dir_read()
iterate_dir(inner overlay file)
ovl_iterate_merged()
Only compute PTR_ERR(cache) on the error path.
Products Associated with CVE-2026-53174
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version d25e4b739f8378419f990983f2542160e79738c5 and below e7051909a01bfb883bfa78b27514854068ac4b85 is affected.
- Version d25e4b739f8378419f990983f2542160e79738c5 and below 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 is affected.
- Version 6.19 is affected.
- Before 6.19 is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.