CVE-2026-46124

Summary

In the Linux kernel, the following vulnerability has been resolved:

isofs: validate block number from NFS file handle in isofs_export_iget

isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780.

sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.

Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5e7de55602c61c8ff28db075cc49c8dd6989d7e0 < ee0024f5a7e3c73aa253869fae9650ae054093caaffected
LinuxLinux63d5a3e207bf315a32c7d16de6c89753a759f95a < 31dbb4ba0f719ae7774e4c0c95172c9bf81692f5affected
LinuxLinux0fdafdaef796816a9ed0fd7ac812932d569d9beb < 908a76f0b1038035e6ebb4f2293ce079f92e0a02affected
LinuxLinux952e7a7e317f126d0a2b879fc531b716932d5ffa < bb0988ed4f2e26d59bbb58f644cb3a55b7521e21affected
LinuxLinux56dfffea9fd3be0b3795a9ca6401e133a8427e0b < 0a1af74ae2177bda3aee0837a0546309aa539d0daffected
LinuxLinux0405d4b63d082861f4eaff9d39c78ee9dc34f845 < afbafeddf23db13fe2edb2d5c0bf4bbb13d7881baffected
LinuxLinux0405d4b63d082861f4eaff9d39c78ee9dc34f845 < 4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6affected
LinuxLinux0405d4b63d082861f4eaff9d39c78ee9dc34f845 < 24376458138387fb251e782e624c7776e9826796affected
LinuxLinuxee01a309ebf598be1ff8174901ed6e91619f1749affected
LinuxLinux007124c896e7d4614ac1f6bd4dedb975c35a2a8eaffected
LinuxLinux5.10.237 < 5.10.258affected
LinuxLinux5.15.181 < 5.15.209affected
LinuxLinux6.1.135 < 6.1.175affected
LinuxLinux6.6.88 < 6.6.140affected
LinuxLinux6.12.25 < 6.12.88affected
LinuxLinux5.4.293 < 5.5affected
LinuxLinux6.14.4 < 6.15affected
LinuxLinux6.15affected
LinuxLinux0 < 6.15unaffected
LinuxLinux5.10.258 <= 5.10.*unaffected
LinuxLinux5.15.209 <= 5.15.*unaffected
LinuxLinux6.1.175 <= 6.1.*unaffected
LinuxLinux6.6.140 <= 6.6.*unaffected
LinuxLinux6.12.88 <= 6.12.*unaffected
LinuxLinux6.18.30 <= 6.18.*unaffected
LinuxLinux7.0.7 <= 7.0.*unaffected
LinuxLinux7.1 <= *unaffected

Weaknesses

References