CVE-2026-23388

Summary

In the Linux kernel, the following vulnerability has been resolved:

Squashfs: check metadata block offset is within range

Syzkaller reports a "general protection fault in squashfs_copy_data"

This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset.

This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access.

The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxf400e12656ab518be107febfe2315fb1eab5a342 < 60f679f643f3f36a8571ea585e4ce5d93ef952b5affected
LinuxLinuxf400e12656ab518be107febfe2315fb1eab5a342 < 3f68a9457a6190814377577374da75f872e0a013affected
LinuxLinuxf400e12656ab518be107febfe2315fb1eab5a342 < 0c8ab092aec3ac4294940054772d30b511b16713affected
LinuxLinuxf400e12656ab518be107febfe2315fb1eab5a342 < 6b847d65f5b0065e02080c61fad93d57d6686383affected
LinuxLinuxf400e12656ab518be107febfe2315fb1eab5a342 < 9e9fa5ad37c9cbad73c165c7ff1e76e650825e7caffected
LinuxLinuxf400e12656ab518be107febfe2315fb1eab5a342 < 01ee0bcc29864b78249308e8b35042b09bbf5fe3affected
LinuxLinuxf400e12656ab518be107febfe2315fb1eab5a342 < 3b9499e7d677dd4366239a292238489a804936b2affected
LinuxLinuxf400e12656ab518be107febfe2315fb1eab5a342 < fdb24a820a5832ec4532273282cbd4f22c291a0daffected
LinuxLinux2.6.29affected
LinuxLinux0 < 2.6.29unaffected
LinuxLinux5.10.253 <= 5.10.*unaffected
LinuxLinux5.15.203 <= 5.15.*unaffected
LinuxLinux6.1.167 <= 6.1.*unaffected
LinuxLinux6.6.130 <= 6.6.*unaffected
LinuxLinux6.12.77 <= 6.12.*unaffected
LinuxLinux6.18.17 <= 6.18.*unaffected
LinuxLinux6.19.7 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References