Home

Description

In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.

PUBLISHED Reserved 2026-05-13 | Published 2026-05-28 | Updated 2026-06-01 | Assigner Linux




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Product status

Default status
unaffected

5e7de55602c61c8ff28db075cc49c8dd6989d7e0 (git) before ee0024f5a7e3c73aa253869fae9650ae054093ca
affected

63d5a3e207bf315a32c7d16de6c89753a759f95a (git) before 31dbb4ba0f719ae7774e4c0c95172c9bf81692f5
affected

0fdafdaef796816a9ed0fd7ac812932d569d9beb (git) before 908a76f0b1038035e6ebb4f2293ce079f92e0a02
affected

952e7a7e317f126d0a2b879fc531b716932d5ffa (git) before bb0988ed4f2e26d59bbb58f644cb3a55b7521e21
affected

56dfffea9fd3be0b3795a9ca6401e133a8427e0b (git) before 0a1af74ae2177bda3aee0837a0546309aa539d0d
affected

0405d4b63d082861f4eaff9d39c78ee9dc34f845 (git) before afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b
affected

0405d4b63d082861f4eaff9d39c78ee9dc34f845 (git) before 4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6
affected

0405d4b63d082861f4eaff9d39c78ee9dc34f845 (git) before 24376458138387fb251e782e624c7776e9826796
affected

ee01a309ebf598be1ff8174901ed6e91619f1749 (git)
affected

007124c896e7d4614ac1f6bd4dedb975c35a2a8e (git)
affected

5.10.237 (semver) before 5.10.258
affected

5.15.181 (semver) before 5.15.209
affected

6.1.135 (semver) before 6.1.175
affected

6.6.88 (semver) before 6.6.140
affected

6.12.25 (semver) before 6.12.88
affected

5.4.293 (semver) before 5.5
affected

6.14.4 (semver) before 6.15
affected

Default status
affected

6.15
affected

Any version before 6.15
unaffected

5.10.258 (semver)
unaffected

5.15.209 (semver)
unaffected

6.1.175 (semver)
unaffected

6.6.140 (semver)
unaffected

6.12.88 (semver)
unaffected

6.18.30 (semver)
unaffected

7.0.7 (semver)
unaffected

7.1-rc2 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/ee0024f5a7e3c73aa253869fae9650ae054093ca

git.kernel.org/...c/31dbb4ba0f719ae7774e4c0c95172c9bf81692f5

git.kernel.org/...c/908a76f0b1038035e6ebb4f2293ce079f92e0a02

git.kernel.org/...c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21

git.kernel.org/...c/0a1af74ae2177bda3aee0837a0546309aa539d0d

git.kernel.org/...c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b

git.kernel.org/...c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6

git.kernel.org/...c/24376458138387fb251e782e624c7776e9826796

cve.org (CVE-2026-46124)

nvd.nist.gov (CVE-2026-46124)

Download JSON