CVE-2026-52992
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
fs/adfs: validate nzones in adfs_validate_bblk()
Reject ADFS disc records with a zero zone count during boot block validation, before the disc record is used.
When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, …) which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], causing an out-of-bounds write before the allocated buffer.
adfs_validate_dr0() already rejects nzones != 1 for old-format images. Add the equivalent check to adfs_validate_bblk() for new-format images so that a crafted image with nzones == 0 is rejected at probe time.
Found by syzkaller.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | f6f14a0d71b0773a1d4147d1a3c33d537cd213ab < 33aafd2418a59c96c0389d47ea09026661fa9ec6 | affected |
| Linux | Linux | f6f14a0d71b0773a1d4147d1a3c33d537cd213ab < 1f0ed0f57f0fc87e46fe19a05435c214dc464be2 | affected |
| Linux | Linux | f6f14a0d71b0773a1d4147d1a3c33d537cd213ab < 6ff8cca5cdb4f2e0ea6d28ecd78479dd3f221ebc | affected |
| Linux | Linux | f6f14a0d71b0773a1d4147d1a3c33d537cd213ab < a11372a8b1ceaa5e950a84b3b5fbf8228f25e277 | affected |
| Linux | Linux | f6f14a0d71b0773a1d4147d1a3c33d537cd213ab < 1586bd2d2fb436a26df20a70e78b000d34a7d159 | affected |
| Linux | Linux | f6f14a0d71b0773a1d4147d1a3c33d537cd213ab < a3fd5dc1c7b0aae947a67dc2e2c037d57557a4de | affected |
| Linux | Linux | f6f14a0d71b0773a1d4147d1a3c33d537cd213ab < 60d82592ac8b5637fbed871381eb0a16df0a492e | affected |
| Linux | Linux | f6f14a0d71b0773a1d4147d1a3c33d537cd213ab < dd9d3e16c2d5fa166e13dce07413be51f42c8f5d | affected |
| Linux | Linux | 5.6 | affected |
| Linux | Linux | 0 < 5.6 | unaffected |
| Linux | Linux | 5.10.258 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.209 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.175 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.141 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.91 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.33 <= 6.18.* | unaffected |
| Linux | Linux | 7.0.10 <= 7.0.* | unaffected |
| Linux | Linux | 7.1 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/33aafd2418a59c96c0389d47ea09026661fa9ec6
- https://git.kernel.org/stable/c/1f0ed0f57f0fc87e46fe19a05435c214dc464be2
- https://git.kernel.org/stable/c/6ff8cca5cdb4f2e0ea6d28ecd78479dd3f221ebc
- https://git.kernel.org/stable/c/a11372a8b1ceaa5e950a84b3b5fbf8228f25e277
- https://git.kernel.org/stable/c/1586bd2d2fb436a26df20a70e78b000d34a7d159
- https://git.kernel.org/stable/c/a3fd5dc1c7b0aae947a67dc2e2c037d57557a4de
- https://git.kernel.org/stable/c/60d82592ac8b5637fbed871381eb0a16df0a492e
- https://git.kernel.org/stable/c/dd9d3e16c2d5fa166e13dce07413be51f42c8f5d
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.