CVE-2026-23238 - Vulnerability Details

- romfs: check sb_set_blocksize() return value

Description

In the Linux kernel, the following vulnerability has been resolved:

romfs: check sb_set_blocksize() return value

romfs_fill_super() ignores the return value of sb_set_blocksize(), which
can fail if the requested block size is incompatible with the block
device's configuration.

This can be triggered by setting a loop device's block size larger than
PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs
filesystem on that device.

When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the
device has logical_block_size=32768, bdev_validate_blocksize() fails
because the requested size is smaller than the device's logical block
size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and
continues mounting.

The superblock's block size remains at the device's logical block size
(32768). Later, when sb_bread() attempts I/O with this oversized block
size, it triggers a kernel BUG in folio_set_bh():

kernel BUG at fs/buffer.c:1582!
BUG_ON(size > PAGE_SIZE);

Fix by checking the return value of sb_set_blocksize() and failing the
mount with -EINVAL if it returns 0.

Published: 2026-03-04

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel’s romfs implementation fails to honor the return value from sb_set_blocksize(). When a device with a larger logical block size is used, the function reports failure but romfs continues, leaving the superblock with an oversized block size. Subsequent reads trigger a kernel BUG, crashing the system. This leads to a denial of service. The weakness is an unchecked return value (CWE-617).

Affected Systems

All kernels that contain the unpatched romfs code, including the 2.6.12 release candidates (2.6.12 rc1–rc5) and the 6.19 release candidates (6.19 rc1–rc7) listed by the CPE entries, are affected. The fix is already present in stable kernel releases newer than those versions.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low exploitation likelihood. The attack requires local privilege to configure a loop device with the ioctl(LOOP_SET_BLOCK_SIZE) call, which normally requires root or equivalent capability. Once the device is prepared, mounting a romfs filesystem on it will crash the kernel. The vulnerability does not provide remote code execution or data exfiltration; it simply produces a kernel crash.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< a381f0f61b35c8894b0bd0d6acef2d8f9b08b244
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< f2521ab1f63a8c244f06a080319e5ff9a2e1bd95
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2c5829cd8fbbc91568c520b666898f57cdcb8cf6
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< cbd9931e6456822067725354d83446c5bb813030
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 9b203b8ddd7359270e8a694d0584743555128e2c
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 4b71ad7676564a94ec5f7d18298f51e8ae53db73
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0

Linux

affected

Version	Status	Constraints
`2.6.12`	affected	—
`0`	unaffected	< 2.6.12
`5.10.251`	unaffected	≤ 5.10.*
`5.15.201`	unaffected	≤ 5.15.*
`6.1.164`	unaffected	≤ 6.1.*
`6.6.127`	unaffected	≤ 6.6.*
`6.12.74`	unaffected	≤ 6.12.*
`6.18.13`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a381f0f61b35c8894b0bd0d6acef2d8f9b08b244)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f2521ab1f63a8c244f06a080319e5ff9a2e1bd95)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2c5829cd8fbbc91568c520b666898f57cdcb8cf6)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,cbd9931e6456822067725354d83446c5bb813030)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9b203b8ddd7359270e8a694d0584743555128e2c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4b71ad7676564a94ec5f7d18298f51e8ae53db73)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.251,5.11.0)`	unaffected	semver	—
`[5.15.201,5.16.0)`	unaffected	semver	—
`[6.1.164,6.2.0)`	unaffected	semver	—
`[6.6.127,6.7.0)`	unaffected	semver	—
`[6.12.74,6.13.0)`	unaffected	semver	—
`[6.18.13,6.19.0)`	unaffected	semver	—
`[6.19,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a kernel version that includes the romfs block‑size check patch. Distribution maintainers typically bundle the fix in the latest releases; apply the vendor’s security update.
If patching cannot be applied immediately, manually recompile the kernel with the patch that adds the return‑value check (for example, cherry‑picking commit 2c5829cd8fbbc91568c520b666898f57cdcb8cf6) and install the updated kernel.
As a temporary workaround, avoid mounting romfs on loop devices that have been configured with a block size larger than the system’s PAGE_SIZE; ensure any loop device used for romfs has a block size of 4096 bytes or less before mounting, or restrict loop device modifications to privileged users only.

Generated by OpenCVE AI on April 17, 2026 at 13:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4498-1	linux security update
Debian DLA	DLA-4499-1	linux-6.1 security update
Debian DSA	DSA-6163-1	linux security update
Debian DSA	DSA-6162-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6
https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73
https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c
https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244
https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0
https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030
https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95
https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23238-47f3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23238
https://www.cve.org/CVERecord?id=CVE-2026-23238

History

Tue, 17 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-617
CPEs		cpe:2.3:o:linux:linux_kernel:2.6.12:-:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::

Thu, 05 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23238-47f3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23238 https://www.cve.org/CVERecord?id=CVE-2026-23238
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Wed, 04 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0.
Title		romfs: check sb_set_blocksize() return value
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6 https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73 https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244 https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0 https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030 https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-04T14:38:42.477Z

Updated: 2026-03-08T10:07:34.991Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23238

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-04T15:16:14.530

Modified: 2026-03-17T21:15:39.097

Link: CVE-2026-23238

Redhat

Severity : Moderate

Publid Date: 2026-03-04T00:00:00Z

Links: CVE-2026-23238 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses

CWE-617

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object