In the Linux kernel, the following vulnerability has been resolved:
hfsplus: return error when node already exists in hfsbnodecreate
When hfsbnodecreate() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfsbnodeput():
kernel BUG at fs/hfsplus/bnode.c:676!
BUG_ON(!atomic_read(&node->refcnt))
This scenario can occur when hfsbmapalloc() attempts to allocate a node that is already in use (e.g., when node 0's bitmap bit is incorrectly unset), or due to filesystem corruption.
Returning an existing node from a create path is not normal operation.
Fix this by returning ERRPTR(-EEXIST) instead of the node when it's already hashed. This properly signals the error condition to callers, which already check for ISERR() return values.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45960.json"
}