CVE-2026-53174 in Linux
Summary
by MITRE • 06/25/2026
In the Linux kernel, the following vulnerability has been resolved:
ovl: keep err zero after successful ovl_cache_get()
ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error.
The syzbot reproducer reaches this through overlay-on-overlay readdir:
getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged()
Only compute PTR_ERR(cache) on the error path.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/27/2026
This vulnerability exists within the Linux kernel's overlay filesystem implementation where a logic error in error handling leads to incorrect return values during directory iteration operations. The flaw occurs in the ovl_iterate_merged() function which processes directory entries for overlay filesystems that are layered on top of each other. When the function calls ovl_cache_get() to retrieve cache information for directory processing, it incorrectly stores the result of PTR_ERR(cache) into the err variable before properly checking if the cache pointer represents an error condition through IS_ERR(cache). This premature assignment means that when ovl_cache_get() succeeds, the err variable contains a truncated pointer value that appears as a non-zero error code rather than a valid success indicator.
The operational impact of this vulnerability manifests when performing directory iteration operations on overlay filesystems, particularly in nested overlay scenarios where one overlay filesystem is mounted on top of another. The syzbot reproducer demonstrates how this sequence leads to the problematic code path through multiple function calls including getdents64, iterate_dir, ovl_iterate_merged, ovl_cache_get, ovl_dir_read_merged, ovl_dir_read, and nested iterate_dir operations on inner overlay files. This creates a situation where legitimate directory traversal operations return erroneous error codes instead of proper directory entry data, potentially causing applications to incorrectly interpret successful operations as failures.
The technical implementation flaw represents a classic case of improper error handling flow control that can be categorized under CWE-755 and relates to improper handling of exceptional conditions in kernel code. This vulnerability specifically affects the overlay filesystem's ability to properly manage cache references during directory iteration, creating a scenario where valid pointer values are misinterpreted as error codes due to incorrect conditional logic ordering. The fix addresses this by ensuring that PTR_ERR(cache) is only computed when the cache pointer actually represents an error condition, preventing successful cache retrieval operations from being incorrectly flagged as errors.
The security implications extend beyond simple operational disruption, as this vulnerability could potentially be exploited to cause denial of service conditions or application-level failures when legitimate filesystem operations are incorrectly reported as errors. Attackers could leverage this issue to create situations where directory traversal functionality behaves unpredictably, potentially leading to cascading failures in applications that depend on proper filesystem operation. The fix ensures proper error path handling by reordering the conditional checks so that error code computation only occurs when appropriate, maintaining the integrity of the overlay filesystem's directory iteration mechanisms and preventing incorrect error propagation throughout the kernel's filesystem subsystem.
This vulnerability aligns with ATT&CK techniques related to privilege escalation through kernel exploitation and system stability compromise. The improper error handling in kernel space creates opportunities for malicious actors to manipulate filesystem operations and potentially exploit the resulting inconsistent behavior to gain unauthorized access or disrupt system services. The overlay filesystem implementation requires careful attention to error handling patterns due to its complex layered nature, where incorrect state management can propagate through multiple abstraction levels. Proper mitigation requires ensuring that all kernel filesystem implementations maintain consistent error code semantics throughout their operation lifecycle.
The fix demonstrates the importance of proper defensive programming in kernel space where error conditions must be carefully distinguished from valid return values. This vulnerability highlights how seemingly minor logic errors in kernel code can have significant operational consequences, particularly in complex filesystem implementations where multiple layers of abstraction interact. The resolution ensures that the overlay filesystem maintains correct behavior during directory iteration operations while preserving all legitimate error reporting functionality for actual error conditions. This type of fix is critical for maintaining the stability and reliability of Linux systems that depend on overlay filesystems for containerization, virtualization, and other advanced storage management scenarios.
The vulnerability represents a specific failure in kernel error handling best practices where conditional logic ordering creates unintended side effects. The corrected implementation ensures that error code computation only occurs when the cache pointer actually indicates an error condition, preventing the propagation of invalid error codes through the filesystem call chain. This fix reinforces proper kernel development practices around resource management and error state handling, particularly important in high-availability systems where filesystem operations must maintain predictable behavior under all conditions. The resolution prevents potential exploitation scenarios while maintaining full compatibility with existing overlay filesystem functionality across various deployment configurations.