What is CVE-2026-45960?

CVE-2026-45960 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 2.6.16 onward and patched in 5.10.252, 5.15.202, 6.1.165 and others. CVE-2026-45960 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-45960?

CVE-2026-45960 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-45960?

Yes, CVE-2026-45960 has been patched. Fixed versions include 5.10.252, 5.15.202, 6.1.165 and others. If you are running Linux kernel 2.6.16 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-45960 actively exploited?

CVE-2026-45960 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-45960

In the Linux kernel, the following vulnerability has been resolved: hfsplus: return error when node already exists in hfs_bnode_create When hfs_bnode_create() finds that a node is already hashed (which should not happen in normal operation), it currently returns the existing node without incrementing its reference count. This causes a reference count inconsistency that leads to a kernel panic when the node is later freed in hfs_bnode_put(): kernel BUG at fs/hfsplus/bnode.c:676! BUG_ON(!atomic_read(&node->refcnt)) This scenario can occur when hfs_bmap_alloc() attempts to allocate a node that is already in use (e.g., when node 0's bitmap bit is incorrectly unset), or due to filesystem corruption. Returning an existing node from a create path is not normal operation. Fix this by returning ERR_PTR(-EEXIST) instead of the node when it's already hashed. This properly signals the error condition to callers, which already check for IS_ERR() return values.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-05-27

Patch available

Yes

Affected versions

Linux kernel versions 2.6.16 and later are affected. Fixed in 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0 and their respective stable series.

Affected from

≥ 2.6.16

Fixed in

✓ 5.10.252 5.10.x ✓ 5.15.202 5.15.x ✓ 6.1.165 6.1.x ✓ 6.6.128 6.6.x ✓ 6.12.75 6.12.x ✓ 6.18.14 6.18.x ✓ 6.19.4 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-45960 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/1ca428769cb4737a25bd32fb4d1573cc09eeaeef
Patch
Kernel patch commit
https://git.kernel.org/stable/c/2e6ff6a6fc69cc17ed10c9cb6242935d52acd52d
Patch
Kernel patch commit
https://git.kernel.org/stable/c/2e9185a42e0e237c74435fd092b7c34537c62156
Patch

8 patch commits total View all on NVD

Frequently asked questions

What is CVE-2026-45960?

CVE-2026-45960 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 2.6.16 onward and has been patched in 5.10.252, 5.15.202, 6.1.165 and others. CVE-2026-45960 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-45960?

Yes — CVE-2026-45960 has been patched. Fixed versions include 5.10.252, 5.15.202, 6.1.165 and others. If you are running Linux kernel 2.6.16 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-45960 actively exploited?

No — CVE-2026-45960 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.