isofs: validate Rock Ridge CE continuation extent against volume size

8.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Description

In the Linux kernel, the following vulnerability has been resolved:

isofs: validate Rock Ridge CE continuation extent against volume size

rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e177b
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b831 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.

With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.

Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.

Basic Information

ID CVE-2026-46303

Source Linux

Published Jun 8, 2026 at 15:46

Modified Jun 14, 2026 at 04:30

Affected Product

Vendor Linux

Product Linux

Version f54e18f1b831c92f6512d2eedb224cd63d607d3d

Affected Versions Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d
Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d
Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d
Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d
Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d
Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d
Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d
Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d
Linux Linux 08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56
Linux Linux 212c4d33ca83e2144064fe9c2911607fbed5386f
Linux Linux 96e44adce250199ec9b2b928be66365779ff1b59
Linux Linux 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3
Linux Linux fbce0d7dc8965c9fb8d411862040239d4a768c71
Linux Linux 8190393a88f2b0321263a54f2a9eb5a2aa43be7e
Linux Linux 486aa789eadcf44ed87f972b209299c516454693
Linux Linux b6d20edb6e7cedb4eedb9e0193d20dd488ebae84
Linux Linux 2.6.32.66
Linux Linux 3.2.67
Linux Linux 3.4.107
Linux Linux 3.10.64
Linux Linux 3.12.36
Linux Linux 3.14.28
Linux Linux 3.17.8
Linux Linux 3.18.2
Linux Linux 3.19

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: validate Rock Ridge CE continuation extent against volume size\n\nrock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE\nrecord and passes it to sb_bread() without checking that the block\nnumber is within the mounted ISO 9660 volume.  commit e595447e177b\n(\"[PATCH] rock.c: handle corrupted directories\") added cont_offset\nand cont_size rejection for the CE continuation but did not validate\nthe extent block number itself.  commit f54e18f1b831 (\"isofs: Fix\ninfinite looping over CE entries\") later capped the CE chain length\nat RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.\n\nWith a crafted ISO mounted via udisks2 (desktop optical auto-mount)\nor via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at\nan out-of-range block or at blocks belonging to an adjacent\nfilesystem on the same block device.  sb_bread() on an out-of-range\nblock returns NULL cleanly via the block layer EIO path, so there\nis no memory-safety violation.  For in-range reads of adjacent-\nfilesystem data, the CE buffer is parsed as Rock Ridge records and\nonly the text of SL sub-records reaches userspace through\nreadlink(), which makes the info-leak channel narrow and difficult\nto exploit; still, rejecting the malformed CE outright matches the\nrejection shape already present in the same function for\ncont_offset and cont_size.\n\nAdd an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next\nto the existing offset/size rejection, printing the same\ncorrupted-directory-entry notice.",
    "published": "2026-06-08T15:46:30.642Z",
    "modified": "2026-06-14T04:30:03.992Z",
    "type": "cve",
    "title": "isofs: validate Rock Ridge CE continuation extent against volume size",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4be\nhttps://git.kernel.org/stable/c/d582e12378bc1637f337622feef762f53c43fd57\nhttps://git.kernel.org/stable/c/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9\nhttps://git.kernel.org/stable/c/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5\nhttps://git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfc\nhttps://git.kernel.org/stable/c/e69da8eeab74b4f4505024c38a17bce060fe7df8\nhttps://git.kernel.org/stable/c/ef048470c90bc8c1b8318bb2ce329da9ef64b9fe\nhttps://git.kernel.org/stable/c/a36d990f591320e9dd379ab30063ebfe91d47e1f",
    "id": "CVE-2026-46303",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\nLinux Linux 08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56\nLinux Linux 212c4d33ca83e2144064fe9c2911607fbed5386f\nLinux Linux 96e44adce250199ec9b2b928be66365779ff1b59\nLinux Linux 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3\nLinux Linux fbce0d7dc8965c9fb8d411862040239d4a768c71\nLinux Linux 8190393a88f2b0321263a54f2a9eb5a2aa43be7e\nLinux Linux 486aa789eadcf44ed87f972b209299c516454693\nLinux Linux b6d20edb6e7cedb4eedb9e0193d20dd488ebae84\nLinux Linux 2.6.32.66\nLinux Linux 3.2.67\nLinux Linux 3.4.107\nLinux Linux 3.10.64\nLinux Linux 3.12.36\nLinux Linux 3.14.28\nLinux Linux 3.17.8\nLinux Linux 3.18.2\nLinux Linux 3.19",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

isofs: validate Rock Ridge CE continuation extent against volume size_CVE-2026-46303

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply