In the Linux kernel, the following vulnerability has been resolved:
ovl: keep err zero after successful ovlcacheget()
ovliteratemerged() stores PTRERR(cache) in err before checking ISERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error.
The syzbot reproducer reaches this through overlay-on-overlay readdir:
getdents64 iteratedir(outer overlay file) ovliteratemerged() ovlcacheget() ovldirreadmerged() ovldirread() iteratedir(inner overlay file) ovliterate_merged()
Only compute PTR_ERR(cache) on the error path.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53174.json"
}