CVE-2026-53174 - Vulnerability Details

- ovl: keep err zero after successful ovl_cache_get()

Description

In the Linux kernel, the following vulnerability has been resolved:

ovl: keep err zero after successful ovl_cache_get()

ovl_iterate_merged() stores PTR_ERR(cache) in err before checking
IS_ERR(cache). On success err holds the truncated cache pointer and
can be returned as a bogus non-zero error.

The syzbot reproducer reaches this through overlay-on-overlay readdir:

getdents64
iterate_dir(outer overlay file)
ovl_iterate_merged()
ovl_cache_get()
ovl_dir_read_merged()
ovl_dir_read()
iterate_dir(inner overlay file)
ovl_iterate_merged()

Only compute PTR_ERR(cache) on the error path.

Published: 2026-06-25

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`d25e4b739f8378419f990983f2542160e79738c5`	affected	< e7051909a01bfb883bfa78b27514854068ac4b85
`d25e4b739f8378419f990983f2542160e79738c5`	affected	< 1711b6ed6953cee5940ca4c3a6e77f1b3798cee2

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`7.0.13`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[d25e4b739f8378419f990983f2542160e79738c5,e7051909a01bfb883bfa78b27514854068ac4b85)`	affected	code_commit	—
`[d25e4b739f8378419f990983f2542160e79738c5,1711b6ed6953cee5940ca4c3a6e77f1b3798cee2)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	generic	—
`[0,6.19)`	unaffected	generic	—
`[7.0.13,8.0.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00129.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1711b6ed6953cee5940ca4c3a6e77f1b3798cee2
https://git.kernel.org/stable/c/e7051909a01bfb883bfa78b27514854068ac4b85
https://lore.kernel.org/linux-cve-announce/2026062553-CVE-2026-53174-1b7c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-53174
https://www.cve.org/CVERecord?id=CVE-2026-53174

History

Sun, 28 Jun 2026 08:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Fri, 26 Jun 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-170

Fri, 26 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-253
References		https://lore.kernel.org/linux-cve-announce/2026062553-CVE-2026-53174-1b7c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-53174 https://www.cve.org/CVERecord?id=CVE-2026-53174

Thu, 25 Jun 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-170

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.
Title		ovl: keep err zero after successful ovl_cache_get()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1711b6ed6953cee5940ca4c3a6e77f1b3798cee2 https://git.kernel.org/stable/c/e7051909a01bfb883bfa78b27514854068ac4b85

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:51.366Z

Updated: 2026-06-28T06:39:47.801Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53174

Vulnrichment

No data.

NVD

No data.

Redhat

Severity :

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53174 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses

CWE-253

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object