fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START_CVE-2026-53130

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).

Later, omfs_make_empty() uses

sbi->s_sys_blocksize - OMFS_DIR_START

as the length argument to memset(). Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32. That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.

Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.

Basic Information

ID CVE-2026-53130

Source Linux

Published Jun 24, 2026 at 16:30

Modified Jun 28, 2026 at 06:39

Affected Product

Vendor Linux

Product Linux

Version a3ab7155ea21aadc8a4d5687e91b3d876973185e

Affected Versions Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e
Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e
Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e
Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e
Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e
Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e
Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e
Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e
Linux Linux 2.6.27

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START\n\nomfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),\nbut it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).\n\nLater, omfs_make_empty() uses\n\n    sbi->s_sys_blocksize - OMFS_DIR_START\n\nas the length argument to memset().  Since s_sys_blocksize is u32,\na crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes\nan unsigned underflow there, wrapping to a value near 2^32.  That drives\na ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel\nmemory far beyond the backing block buffer.\n\nAdd the corresponding lower-bound check alongside the existing upper-bound\ncheck in omfs_fill_super(), so that malformed images are rejected during\nsuperblock validation before any filesystem data is processed.",
    "published": "2026-06-24T16:30:57.227Z",
    "modified": "2026-06-28T06:39:22.273Z",
    "type": "cve",
    "title": "fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/fbc72f5c645155dc2ed3573243ed20f9913e3a54\nhttps://git.kernel.org/stable/c/5822a05a841a10794ad818620dd2af490b0705d3\nhttps://git.kernel.org/stable/c/754ff1bea3819a90c6f33cccfc1a299ef7609f07\nhttps://git.kernel.org/stable/c/131ea3e57fc22936ed0e2c8330f2e36106172f51\nhttps://git.kernel.org/stable/c/79f84af38c9fef9deb0e02c79eb969b5541c2644\nhttps://git.kernel.org/stable/c/6561afc38398e3518a29c5eebb975c30468f98a6\nhttps://git.kernel.org/stable/c/817f16ed62bc58a168417bfb5e859c2a370bab03\nhttps://git.kernel.org/stable/c/0621c385fda1376e967f37ccd534c26c3e511d14",
    "id": "CVE-2026-53130",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e\nLinux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e\nLinux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e\nLinux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e\nLinux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e\nLinux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e\nLinux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e\nLinux Linux a3ab7155ea21aadc8a4d5687e91b3d876973185e\nLinux Linux 2.6.27",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "a3ab7155ea21aadc8a4d5687e91b3d876973185e",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply