{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-46299: hfsplus: fix held lock freed on hfsplus_fill_super()","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-46299","status":"final","version":"1","initial_release_date":"2026-06-08T15:46:26.670Z","current_release_date":"2026-06-14T04:30:02.894Z","revision_history":[{"date":"2026-06-08T15:46:26.670Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix held lock freed on hfsplus_fill_super()\n\nhfsplus_fill_super() calls hfs_find_init() to initialize a search\nstructure, which acquires tree->tree_lock. If the subsequent call to\nhfsplus_cat_build_key() fails, the function jumps to the out_put_root\nerror label without releasing the lock. The later cleanup path then\nfrees the tree data structure with the lock still held, triggering a\nheld lock freed warning.\n\nFix this by adding the missing hfs_find_exit(&fd) call before jumping\nto the out_put_root error label. This ensures that tree->tree_lock is\nproperly released on the error path.\n\nThe bug was originally detected on v6.13-rc1 using an experimental\nstatic analysis tool we are developing, and we have verified that the\nissue persists in the latest mainline kernel. The tool is specifically\ndesigned to detect memory management issues. It is currently under active\ndevelopment and not yet publicly available.\n\nWe confirmed the bug by runtime testing under QEMU with x86_64 defconfig,\nlockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we\nused GDB to dynamically shrink the max_unistr_len parameter to 1 before\nhfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally\nreturn -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and\nexercises the faulty error path. The following warning was observed\nduring mount:\n\n\t=========================\n\tWARNING: held lock freed!\n\t7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted\n\t-------------------------\n\tmount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!\n\tffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0\n\t2 locks held by mount/174:\n\t#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40\n\t#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0\n\n\tstack backtrace:\n\tCPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tCall Trace:\n\t<TASK>\n\tdump_stack_lvl+0x82/0xd0\n\tdebug_check_no_locks_freed+0x13a/0x180\n\tkfree+0x16b/0x510\n\t? hfsplus_fill_super+0xcb4/0x18a0\n\thfsplus_fill_super+0xcb4/0x18a0\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? bdev_open+0x65f/0xc30\n\t? srso_return_thunk+0x5/0x5f\n\t? pointer+0x4ce/0xbf0\n\t? trace_contention_end+0x11c/0x150\n\t? __pfx_pointer+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? bdev_open+0x79b/0xc30\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? vsnprintf+0x6da/0x1270\n\t? srso_return_thunk+0x5/0x5f\n\t? __mutex_unlock_slowpath+0x157/0x740\n\t? __pfx_vsnprintf+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? mark_held_locks+0x49/0x80\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? irqentry_exit+0x17b/0x5e0\n\t? trace_irq_disable.constprop.0+0x116/0x150\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\tget_tree_bdev_flags+0x302/0x580\n\t? __pfx_get_tree_bdev_flags+0x10/0x10\n\t? vfs_parse_fs_qstr+0x129/0x1a0\n\t? __pfx_vfs_parse_fs_qstr+0x3/0x10\n\tvfs_get_tree+0x89/0x320\n\tfc_mount+0x10/0x1d0\n\tpath_mount+0x5c5/0x21c0\n\t? __pfx_path_mount+0x10/0x10\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? kmem_cache_free+0x307/0x540\n\t? user_path_at+0x51/0x60\n\t? __x64_sys_mount+0x212/0x280\n\t? srso_return_thunk+0x5/0x5f\n\t__x64_sys_mount+0x212/0x280\n\t? __pfx___x64_sys_mount+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? srso_return_thunk+0x5/0x5f\n\tdo_syscall_64+0x111/0x680\n\tentry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7ffacad55eae\n\tCode: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8\n\tRSP: 002b\n---truncated---","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-46299 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-46299"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-46299"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/041acda6d9f96006703466449c10c9a69590c8b9"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/d309d3308de658d87c42d97e044c89a226327526"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc"},{"category":"external","summary":"git.kernel.org","url":"https://git.kernel.org/stable/c/90c500e4fd83fa33c09bc7ee23b6d9cc487ac733"}]},"product_tree":{"branches":[{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version_range","name":">=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e","product":{"name":"Linux Linux >=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <041acda6d9f96006703466449c10c9a69590c8b9","product":{"name":"Linux Linux >=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <041acda6d9f96006703466449c10c9a69590c8b9","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <d309d3308de658d87c42d97e044c89a226327526","product":{"name":"Linux Linux >=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <d309d3308de658d87c42d97e044c89a226327526","product_id":"CSAFPID-3","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc","product":{"name":"Linux Linux >=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc","product_id":"CSAFPID-4","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}},{"category":"product_version_range","name":">=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <90c500e4fd83fa33c09bc7ee23b6d9cc487ac733","product":{"name":"Linux Linux >=89ac9b4d3d1a049ae1054f99b1aed81092cd0a82 <90c500e4fd83fa33c09bc7ee23b6d9cc487ac733","product_id":"CSAFPID-5","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"Linux","branches":[{"category":"product_name","name":"Linux","branches":[{"category":"product_version","name":"3.19","product":{"name":"Linux Linux 3.19","product_id":"CSAFPID-6","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.19:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"0","product":{"name":"Linux Linux 0","product_id":"CSAFPID-7","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.19:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.6.140","product":{"name":"Linux Linux 6.6.140","product_id":"CSAFPID-8","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.19:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.12.88","product":{"name":"Linux Linux 6.12.88","product_id":"CSAFPID-9","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.19:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"6.18.30","product":{"name":"Linux Linux 6.18.30","product_id":"CSAFPID-10","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.19:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.0.7","product":{"name":"Linux Linux 7.0.7","product_id":"CSAFPID-11","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.19:*:*:*:*:*:*:*"}}},{"category":"product_version","name":"7.1-rc1","product":{"name":"Linux Linux 7.1-rc1","product_id":"CSAFPID-12","product_identification_helper":{"cpe":"cpe:2.3:a:linux:linux:3.19:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-46299","title":"hfsplus: fix held lock freed on hfsplus_fill_super()","notes":[{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix held lock freed on hfsplus_fill_super()\n\nhfsplus_fill_super() calls hfs_find_init() to initialize a search\nstructure, which acquires tree->tree_lock. If the subsequent call to\nhfsplus_cat_build_key() fails, the function jumps to the out_put_root\nerror label without releasing the lock. The later cleanup path then\nfrees the tree data structure with the lock still held, triggering a\nheld lock freed warning.\n\nFix this by adding the missing hfs_find_exit(&fd) call before jumping\nto the out_put_root error label. This ensures that tree->tree_lock is\nproperly released on the error path.\n\nThe bug was originally detected on v6.13-rc1 using an experimental\nstatic analysis tool we are developing, and we have verified that the\nissue persists in the latest mainline kernel. The tool is specifically\ndesigned to detect memory management issues. It is currently under active\ndevelopment and not yet publicly available.\n\nWe confirmed the bug by runtime testing under QEMU with x86_64 defconfig,\nlockdep enabled, and CONFIG_HFSPLUS_FS=y. To trigger the error path, we\nused GDB to dynamically shrink the max_unistr_len parameter to 1 before\nhfsplus_asc2uni() is called. This forces hfsplus_asc2uni() to naturally\nreturn -ENAMETOOLONG, which propagates to hfsplus_cat_build_key() and\nexercises the faulty error path. The following warning was observed\nduring mount:\n\n\t=========================\n\tWARNING: held lock freed!\n\t7.0.0-rc3-00016-gb4f0dd314b39 #4 Not tainted\n\t-------------------------\n\tmount/174 is freeing memory ffff888103f92000-ffff888103f92fff, with a lock still held there!\n\tffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0\n\t2 locks held by mount/174:\n\t#0: ffff888103f960e0 (&type->s_umount_key#42/1){+.+.}-{4:4}, at: alloc_super.constprop.0+0x167/0xa40\n\t#1: ffff888103f920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfsplus_find_init+0x154/0x1e0\n\n\tstack backtrace:\n\tCPU: 2 UID: 0 PID: 174 Comm: mount Not tainted 7.0.0-rc3-00016-gb4f0dd314b39 #4 PREEMPT(lazy)\n\tHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014\n\tCall Trace:\n\t<TASK>\n\tdump_stack_lvl+0x82/0xd0\n\tdebug_check_no_locks_freed+0x13a/0x180\n\tkfree+0x16b/0x510\n\t? hfsplus_fill_super+0xcb4/0x18a0\n\thfsplus_fill_super+0xcb4/0x18a0\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? bdev_open+0x65f/0xc30\n\t? srso_return_thunk+0x5/0x5f\n\t? pointer+0x4ce/0xbf0\n\t? trace_contention_end+0x11c/0x150\n\t? __pfx_pointer+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? bdev_open+0x79b/0xc30\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? vsnprintf+0x6da/0x1270\n\t? srso_return_thunk+0x5/0x5f\n\t? __mutex_unlock_slowpath+0x157/0x740\n\t? __pfx_vsnprintf+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? mark_held_locks+0x49/0x80\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? irqentry_exit+0x17b/0x5e0\n\t? trace_irq_disable.constprop.0+0x116/0x150\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\t? __pfx_hfsplus_fill_super+0x10/0x10\n\tget_tree_bdev_flags+0x302/0x580\n\t? __pfx_get_tree_bdev_flags+0x10/0x10\n\t? vfs_parse_fs_qstr+0x129/0x1a0\n\t? __pfx_vfs_parse_fs_qstr+0x3/0x10\n\tvfs_get_tree+0x89/0x320\n\tfc_mount+0x10/0x1d0\n\tpath_mount+0x5c5/0x21c0\n\t? __pfx_path_mount+0x10/0x10\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? srso_return_thunk+0x5/0x5f\n\t? srso_return_thunk+0x5/0x5f\n\t? kmem_cache_free+0x307/0x540\n\t? user_path_at+0x51/0x60\n\t? __x64_sys_mount+0x212/0x280\n\t? srso_return_thunk+0x5/0x5f\n\t__x64_sys_mount+0x212/0x280\n\t? __pfx___x64_sys_mount+0x10/0x10\n\t? srso_return_thunk+0x5/0x5f\n\t? trace_irq_enable.constprop.0+0x116/0x150\n\t? srso_return_thunk+0x5/0x5f\n\tdo_syscall_64+0x111/0x680\n\tentry_SYSCALL_64_after_hwframe+0x77/0x7f\n\tRIP: 0033:0x7ffacad55eae\n\tCode: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 8\n\tRSP: 002b\n---truncated---","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6"],"fixed":["CSAFPID-7","CSAFPID-8","CSAFPID-9","CSAFPID-10","CSAFPID-11","CSAFPID-12"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6"]}],"remediations":[{"category":"vendor_fix","details":"Update to a fixed version: 0, 041acda6d9f96006703466449c10c9a69590c8b9, 3ca80e3012c8be85b4f8d0d20eac8d3b17ff257e, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc1, 90c500e4fd83fa33c09bc7ee23b6d9cc487ac733, bfbcce6a7b0552a390620d9b2c4d2bcb1825cbdc, d309d3308de658d87c42d97e044c89a226327526.","product_ids":["CSAFPID-1","CSAFPID-2","CSAFPID-3","CSAFPID-4","CSAFPID-5","CSAFPID-6"]}]}]}