LiveActive security incident?Get immediate response
CVE Record

CVE-2021-46989: hfsplus: prevent corruption in shrinking truncate

In the Linux kernel, the following vulnerability has been resolved: hfsplus: prevent corruption in shrinking truncate I believe there are some issues introduced by commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") HFS+ has extent records which always contains 8 extents. In case the first extent record in catalog file gets full, new ones are allocated from extents overflow file. In case shrinking truncate happens to middle of an extent record which locates in extents overflow file, the logic in hfsplus_file_truncate() was changed so that call to hfs_brec_remove() is not guarded any more. Right action would be just freeing the extents that exceed the new size inside extent record by calling hfsplus_free_extents(), and then check if the whole extent record should be removed. However since the guard (blk_cnt > start) is now after the call to hfs_brec_remove(), this has unfortunate effect that the last matching extent record is removed unconditionally. To reproduce this issue, create a file which has at least 10 extents, and then perform shrinking truncate into middle of the last extent record, so that the number of remaining extents is not under or divisible by 8. This causes the last extent record (8 extents) to be removed totally instead of truncating into middle of it. Thus this causes corruption, and lost data. Fix for this is simply checking if the new truncated end is below the start of this extent record, making it safe to remove the full extent record. However call to hfs_brec_remove() can't be moved to it's previous place since we're dropping ->tree_lock and it can cause a race condition and the cached info being invalidated possibly corrupting the node data. Another issue is related to this one. When entering into the block (blk_cnt > start) we are not holding the ->tree_lock. We break out from the loop not holding the lock, but hfs_find_exit() does unlock it. Not sure if it's possible for someone else to take the lock under our feet, but it can cause hard to debug errors and premature unlocking. Even if there's no real risk of it, the locking should still always be kept in balance. Thus taking the lock now just before the check.

MediumCVSS 5.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2021-46989 is a Linux kernel HFS+ filesystem bug that can corrupt data during file shrinking. It requires local access and relates to HFS+ extent handling, not remote network exposure. Business impact is mainly data loss or service disruption on systems using HFS+ volumes.

Executive priority

Treat as a targeted operational risk, not an internet-wide emergency. Patch through normal kernel maintenance, faster where HFS+ volumes are writable or operationally important. The main risk is data loss or disruption, not credential theft or remote compromise.

Technical view

The hfsplus truncate path could remove the last matching extent overflow record unconditionally when shrinking into the middle of that record. The issue was introduced after a deadlock fix and can cause filesystem corruption or lost data. The CVSS vector is local, low complexity, low privilege, no user interaction, with high availability impact.

Likely exposure

Exposure is most likely on Linux systems that mount or process HFS+ filesystems and run affected kernel builds in the listed stable ranges. General Linux servers with no HFS+ usage have lower practical exposure, but kernel package status still needs checking.

Exploitation context

The source bundle does not show CISA KEV listing or active exploitation evidence. The described trigger requires local capability to create and truncate files on an HFS+ filesystem with specific extent conditions. No remote exploitation path is supported by the provided sources.

Researcher notes

The core issue is incorrect extent overflow record removal during shrinking truncate plus lock-balance concerns in hfsplus_file_truncate(). Evidence supports local filesystem-triggered corruption. The bundle does not provide exploit-in-the-wild evidence, CWE mapping, or distro-specific fixed package versions.

Mitigation direction

  • Update Linux kernels to versions carrying the cited stable hfsplus fix commits.
  • Check Linux distribution advisories for the exact fixed package version in use.
  • Prioritize systems that mount writable HFS+ volumes or process removable HFS+ media.
  • Where patching is delayed, reduce writable HFS+ exposure pending vendor guidance.
  • Maintain backups for systems relying on HFS+ volumes.

Validation and detection

  • Inventory Linux hosts and kernel versions against affected ranges and vendor advisories.
  • Identify systems with HFS+ support enabled or HFS+ volumes mounted.
  • Confirm installed kernel includes one of the referenced stable fixes or vendor backport.
  • Review logs and storage health for unexplained HFS+ corruption or data loss.
  • Verify backup coverage before handling important HFS+ volumes.
Prepared
Confidence
high
Sources
8

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2021-46989 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
2ADP providers
7Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.5CVSS 3.1MediumCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H1.83.6CISA-ADP

Vulnerability scoring details

Base CVSS 3.1 score

5.5Medium
CVSS 3.1 vector shape for CVE-2021-46989Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
cvssV3_1other:ssvc
CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux31651c607151f1034cfb57e5a78678bea54c362b, 31651c607151f1034cfb57e5a78678bea54c362b, 31651c607151f1034cfb57e5a78678bea54c362b, 31651c607151f1034cfb57e5a78678bea54c362b, 31651c607151f1034cfb57e5a78678bea54c362b, 31651c607151f1034cfb57e5a78678bea54c362bunaffected
LinuxLinux4.19, 0, 4.19.191, 5.4.120, 5.10.38, 5.11.22, 5.12.5, 5.13affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.