CVE-2026-46124
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate block number from NFS file handle in isofs_export_iget
isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780.
sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.
Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 5e7de55602c61c8ff28db075cc49c8dd6989d7e0 < ee0024f5a7e3c73aa253869fae9650ae054093ca | affected |
| Linux | Linux | 63d5a3e207bf315a32c7d16de6c89753a759f95a < 31dbb4ba0f719ae7774e4c0c95172c9bf81692f5 | affected |
| Linux | Linux | 0fdafdaef796816a9ed0fd7ac812932d569d9beb < 908a76f0b1038035e6ebb4f2293ce079f92e0a02 | affected |
| Linux | Linux | 952e7a7e317f126d0a2b879fc531b716932d5ffa < bb0988ed4f2e26d59bbb58f644cb3a55b7521e21 | affected |
| Linux | Linux | 56dfffea9fd3be0b3795a9ca6401e133a8427e0b < 0a1af74ae2177bda3aee0837a0546309aa539d0d | affected |
| Linux | Linux | 0405d4b63d082861f4eaff9d39c78ee9dc34f845 < afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b | affected |
| Linux | Linux | 0405d4b63d082861f4eaff9d39c78ee9dc34f845 < 4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6 | affected |
| Linux | Linux | 0405d4b63d082861f4eaff9d39c78ee9dc34f845 < 24376458138387fb251e782e624c7776e9826796 | affected |
| Linux | Linux | ee01a309ebf598be1ff8174901ed6e91619f1749 | affected |
| Linux | Linux | 007124c896e7d4614ac1f6bd4dedb975c35a2a8e | affected |
| Linux | Linux | 5.10.237 < 5.10.258 | affected |
| Linux | Linux | 5.15.181 < 5.15.209 | affected |
| Linux | Linux | 6.1.135 < 6.1.175 | affected |
| Linux | Linux | 6.6.88 < 6.6.140 | affected |
| Linux | Linux | 6.12.25 < 6.12.88 | affected |
| Linux | Linux | 5.4.293 < 5.5 | affected |
| Linux | Linux | 6.14.4 < 6.15 | affected |
| Linux | Linux | 6.15 | affected |
| Linux | Linux | 0 < 6.15 | unaffected |
| Linux | Linux | 5.10.258 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.140 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.88 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.30 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.7 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/ee0024f5a7e3c73aa253869fae9650ae054093ca
- https://git.kernel.org/stable/c/31dbb4ba0f719ae7774e4c0c95172c9bf81692f5
- https://git.kernel.org/stable/c/908a76f0b1038035e6ebb4f2293ce079f92e0a02
- https://git.kernel.org/stable/c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21
- https://git.kernel.org/stable/c/0a1af74ae2177bda3aee0837a0546309aa539d0d
- https://git.kernel.org/stable/c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b
- https://git.kernel.org/stable/c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6
- https://git.kernel.org/stable/c/24376458138387fb251e782e624c7776e9826796
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.