{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nisofs: validate Rock Ridge CE continuation extent against volume size\\n\\nrock_continue() reads rs-\\u003econt_extent verbatim from the Rock Ridge CE\\nrecord and passes it to sb_bread() without checking that the block\\nnumber is within the mounted ISO 9660 volume. commit e595447e177b\\n(\\”[PATCH] rock.c: handle corrupted directories\\”) added cont_offset\\nand cont_size rejection for the CE continuation but did not validate\\nthe extent block number itself. commit f54e18f1b831 (\\”isofs: Fix\\ninfinite looping over CE entries\\”) later capped the CE chain length\\nat RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.\\n\\nWith a crafted ISO mounted via udisks2 (desktop optical auto-mount)\\nor via CAP_SYS_ADMIN mount, rs-\\u003econt_extent can therefore point at\\nan out-of-range block or at blocks belonging to an adjacent\\nfilesystem on the same block device. sb_bread() on an out-of-range\\nblock returns NULL cleanly via the block layer EIO path, so there\\nis no memory-safety violation. For in-range reads of adjacent-\\nfilesystem data, the CE buffer is parsed as Rock Ridge records and\\nonly the text of SL sub-records reaches userspace through\\nreadlink(), which makes the info-leak channel narrow and difficult\\nto exploit; still, rejecting the malformed CE outright matches the\\nrejection shape already present in the same function for\\ncont_offset and cont_size.\\n\\nAdd an ISOFS_SB(sb)-\\u003es_nzones bounds check to rock_continue() next\\nto the existing offset\/size rejection, printing the same\\ncorrupted-directory-entry notice.”,”published”:”2026-06-08T15:46:30.642Z”,”modified”:”2026-06-14T04:30:03.992Z”,”type”:”cve”,”title”:”isofs: validate Rock Ridge CE continuation extent against volume size”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/8356fb821016797f5677cbeee5ddc0d32a95b4be\\nhttps:\/\/git.kernel.org\/stable\/c\/d582e12378bc1637f337622feef762f53c43fd57\\nhttps:\/\/git.kernel.org\/stable\/c\/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9\\nhttps:\/\/git.kernel.org\/stable\/c\/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5\\nhttps:\/\/git.kernel.org\/stable\/c\/22b36fa081f38ab397c7697f9d539211b51a0cfc\\nhttps:\/\/git.kernel.org\/stable\/c\/e69da8eeab74b4f4505024c38a17bce060fe7df8\\nhttps:\/\/git.kernel.org\/stable\/c\/ef048470c90bc8c1b8318bb2ce329da9ef64b9fe\\nhttps:\/\/git.kernel.org\/stable\/c\/a36d990f591320e9dd379ab30063ebfe91d47e1f”,”id”:”CVE-2026-46303″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\\nLinux Linux f54e18f1b831c92f6512d2eedb224cd63d607d3d\\nLinux Linux 08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56\\nLinux Linux 212c4d33ca83e2144064fe9c2911607fbed5386f\\nLinux Linux 96e44adce250199ec9b2b928be66365779ff1b59\\nLinux Linux 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3\\nLinux Linux fbce0d7dc8965c9fb8d411862040239d4a768c71\\nLinux Linux 8190393a88f2b0321263a54f2a9eb5a2aa43be7e\\nLinux Linux 486aa789eadcf44ed87f972b209299c516454693\\nLinux Linux b6d20edb6e7cedb4eedb9e0193d20dd488ebae84\\nLinux Linux 2.6.32.66\\nLinux Linux 3.2.67\\nLinux Linux 3.4.107\\nLinux Linux 3.10.64\\nLinux Linux 3.12.36\\nLinux Linux 3.14.28\\nLinux Linux 3.17.8\\nLinux Linux 3.18.2\\nLinux Linux 3.19″,”sourceHref”:””,”cvss”:{“score”:8.2,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”f54e18f1b831c92f6512d2eedb224cd63d607d3d”,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nisofs: validate Rock Ridge CE continuation extent against volume size\\n\\nrock_continue() reads rs-\\u003econt_extent verbatim from the Rock…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,77,12,15,13,7,11,5],"class_list":["post-62561","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-82","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n