isofs: validate block number from NFS file handle in isofs_export_iget

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

In the Linux kernel, the following vulnerability has been resolved:

isofs: validate block number from NFS file handle in isofs_export_iget

isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-
controlled block number (ifid->block or ifid->parent_block) from
the NFS file handle to isofs_export_iget(), which only rejects
block == 0 before calling isofs_iget() and ultimately sb_bread().
A crafted file handle with fh_len sufficient to pass the check
added by commit 0405d4b63d08 ("isofs: Prevent the use of too small
fid") can still drive the server to read any in-range block on the
backing device as if it were an iso_directory_record. That earlier
fix was assigned CVE-2025-37780.

sb_bread() on an out-of-range block returns NULL cleanly via the
EIO path, so there is no memory-safety violation. For in-range
reads of adjacent-partition data on the same block device, the
unrelated bytes end up in iso_inode_info fields that reach the NFS
client as dentry metadata. The deployment surface (isofs exported
over NFS from loop-mounted images) is narrow and requires an
authenticated NFS peer, but the malformed-file-handle class is
reportable as hardening next to the existing CVE-2025-37780 fix.

Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so
the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()
call sites with a single line.

Basic Information

ID CVE-2026-46124

Source Linux

Published May 28, 2026 at 09:35

Modified May 30, 2026 at 10:48

Affected Product

Vendor Linux

Product Linux

Version 952e7a7e317f126d0a2b879fc531b716932d5ffa

Affected Versions Linux Linux 952e7a7e317f126d0a2b879fc531b716932d5ffa
Linux Linux 56dfffea9fd3be0b3795a9ca6401e133a8427e0b
Linux Linux 0405d4b63d082861f4eaff9d39c78ee9dc34f845
Linux Linux 0405d4b63d082861f4eaff9d39c78ee9dc34f845
Linux Linux 0405d4b63d082861f4eaff9d39c78ee9dc34f845
Linux Linux ee01a309ebf598be1ff8174901ed6e91619f1749
Linux Linux 5e7de55602c61c8ff28db075cc49c8dd6989d7e0
Linux Linux 63d5a3e207bf315a32c7d16de6c89753a759f95a
Linux Linux 0fdafdaef796816a9ed0fd7ac812932d569d9beb
Linux Linux 007124c896e7d4614ac1f6bd4dedb975c35a2a8e
Linux Linux 6.6.88
Linux Linux 6.12.25
Linux Linux 5.4.293
Linux Linux 5.10.237
Linux Linux 5.15.181
Linux Linux 6.1.135
Linux Linux 6.14.4
Linux Linux 6.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: validate block number from NFS file handle in isofs_export_iget\n\nisofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-\ncontrolled block number (ifid->block or ifid->parent_block) from\nthe NFS file handle to isofs_export_iget(), which only rejects\nblock == 0 before calling isofs_iget() and ultimately sb_bread().\nA crafted file handle with fh_len sufficient to pass the check\nadded by commit 0405d4b63d08 (\"isofs: Prevent the use of too small\nfid\") can still drive the server to read any in-range block on the\nbacking device as if it were an iso_directory_record.  That earlier\nfix was assigned CVE-2025-37780.\n\nsb_bread() on an out-of-range block returns NULL cleanly via the\nEIO path, so there is no memory-safety violation.  For in-range\nreads of adjacent-partition data on the same block device, the\nunrelated bytes end up in iso_inode_info fields that reach the NFS\nclient as dentry metadata.  The deployment surface (isofs exported\nover NFS from loop-mounted images) is narrow and requires an\nauthenticated NFS peer, but the malformed-file-handle class is\nreportable as hardening next to the existing CVE-2025-37780 fix.\n\nReject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so\nthe check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()\ncall sites with a single line.",
    "published": "2026-05-28T09:35:38.887Z",
    "modified": "2026-05-30T10:48:03.773Z",
    "type": "cve",
    "title": "isofs: validate block number from NFS file handle in isofs_export_iget",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21\nhttps://git.kernel.org/stable/c/0a1af74ae2177bda3aee0837a0546309aa539d0d\nhttps://git.kernel.org/stable/c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b\nhttps://git.kernel.org/stable/c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6\nhttps://git.kernel.org/stable/c/24376458138387fb251e782e624c7776e9826796",
    "id": "CVE-2026-46124",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 952e7a7e317f126d0a2b879fc531b716932d5ffa\nLinux Linux 56dfffea9fd3be0b3795a9ca6401e133a8427e0b\nLinux Linux 0405d4b63d082861f4eaff9d39c78ee9dc34f845\nLinux Linux 0405d4b63d082861f4eaff9d39c78ee9dc34f845\nLinux Linux 0405d4b63d082861f4eaff9d39c78ee9dc34f845\nLinux Linux ee01a309ebf598be1ff8174901ed6e91619f1749\nLinux Linux 5e7de55602c61c8ff28db075cc49c8dd6989d7e0\nLinux Linux 63d5a3e207bf315a32c7d16de6c89753a759f95a\nLinux Linux 0fdafdaef796816a9ed0fd7ac812932d569d9beb\nLinux Linux 007124c896e7d4614ac1f6bd4dedb975c35a2a8e\nLinux Linux 6.6.88\nLinux Linux 6.12.25\nLinux Linux 5.4.293\nLinux Linux 5.10.237\nLinux Linux 5.15.181\nLinux Linux 6.1.135\nLinux Linux 6.14.4\nLinux Linux 6.15",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "952e7a7e317f126d0a2b879fc531b716932d5ffa",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

isofs: validate block number from NFS file handle in isofs_export_iget_CVE-2026-46124

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply