Problem Description:
The ZFS_IOC_USERSPACE_MANY ioctl, used by zfs-userspace(8),
truncated a 64-bit output buffer size to a 32-bit integer for the
kernel allocation, but used the original 64-bit size as the buffer
limit when writing records.
The ZFS_IOC_RECV_NEW ioctl, in the heal receive path, similarly
truncated a 64-bit payload size to a 32-bit integer for allocation,
then used the original 64-bit size as the length for a byteswap
operation.
The ZFS_IOC_SET_PROP ioctl, used by zfs-set(8), incorrectly validated
the calling user such that an unprivileged user is able to set
metadata on a dataset indicating that the dataset has received
properties from a zfs-recv(8) stream.
Impact:
A local user with the "userused" delegated ZFS permission can
trigger a kernel heap overflow via the ZFS_IOC_USERSPACE_MANY ioctl,
potentially escalating privileges. [CVE-2026-49429]
A local user with the "receive" delegated ZFS permission can trigger
kernel memory corruption via ZFS_IOC_RECV_NEW by sending a crafted
receive stream in heal mode. [CVE-2026-49430]
Any local user can set the internal ZFS metadata flag "$hasrecvd"
on datasets via ZFS_IOC_SET_PROP. [CVE-2026-49431]