CVE-2026-23388 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

Squashfs: check metadata block offset is within range

Syzkaller reports a "general protection fault in squashfs_copy_data"

This is ultimately caused by a corrupted index look-up table, which
produces a negative metadata block offset.

This is subsequently passed to squashfs_copy_data (via
squashfs_read_metadata) where the negative offset causes an out of bounds
access.

The fix is to check that the offset is within range in
squashfs_read_metadata. This will trap this and other cases.

Published: 2026-03-25

Score: 6.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Linux kernel’s squashfs implementation. A corrupted index look‑up table can produce a negative metadata block offset that is subsequently passed to squashfs_copy_data. The negative offset results in an out‑of‑bounds memory access, triggering a general protection fault. Failure to detect this condition can cause the kernel to crash, effectively denying service to processes requiring access to a malformed squashfs filesystem.

Affected Systems

All Linux kernel distributions that include the standard squashfs module are affected. The exact version range is not specified, but any kernel with the unpatched squashfs code is potentially vulnerable. Devices or systems that mount or access squashfs images, such as embedded systems or container images, should examine their kernel release for the fix.

Risk and Exploitability

CVSS scoring indicates a moderate severity (6.6). The EPSS score is below 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the KEV catalog. Exploitation would likely require an attacker to supply a crafted squashfs image with an invalid index that the kernel processes, making the attack vector local or requiring privileged mounting. Overall, the risk is moderate, but the impact of a kernel crash warrants timely remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`f400e12656ab518be107febfe2315fb1eab5a342`	affected	< 0c8ab092aec3ac4294940054772d30b511b16713
`f400e12656ab518be107febfe2315fb1eab5a342`	affected	< 6b847d65f5b0065e02080c61fad93d57d6686383
`f400e12656ab518be107febfe2315fb1eab5a342`	affected	< 9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c
`f400e12656ab518be107febfe2315fb1eab5a342`	affected	< 01ee0bcc29864b78249308e8b35042b09bbf5fe3
`f400e12656ab518be107febfe2315fb1eab5a342`	affected	< 3b9499e7d677dd4366239a292238489a804936b2
`f400e12656ab518be107febfe2315fb1eab5a342`	affected	< fdb24a820a5832ec4532273282cbd4f22c291a0d

Linux

affected

Version	Status	Constraints
`2.6.29`	affected	—
`0`	unaffected	< 2.6.29
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0-rc2`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[f400e12656ab518be107febfe2315fb1eab5a342,0c8ab092aec3ac4294940054772d30b511b16713)`	affected	code_commit	['*']
`[f400e12656ab518be107febfe2315fb1eab5a342,6b847d65f5b0065e02080c61fad93d57d6686383)`	affected	code_commit	['*']
`[f400e12656ab518be107febfe2315fb1eab5a342,9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c)`	affected	code_commit	['*']
`[f400e12656ab518be107febfe2315fb1eab5a342,01ee0bcc29864b78249308e8b35042b09bbf5fe3)`	affected	code_commit	['*']
`[f400e12656ab518be107febfe2315fb1eab5a342,3b9499e7d677dd4366239a292238489a804936b2)`	affected	code_commit	['*']
`[f400e12656ab518be107febfe2315fb1eab5a342,fdb24a820a5832ec4532273282cbd4f22c291a0d)`	affected	code_commit	['*']

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.29`	affected	semver	['*']
`[0,2.6.29)`	unaffected	semver	['*']
`[6.1.167,6.2.0)`	unaffected	semver	['*']
`[6.6.130,6.7.0)`	unaffected	semver	['*']
`[6.12.77,6.13.0)`	unaffected	semver	['*']
`[6.18.17,6.19.0)`	unaffected	semver	['*']
`[6.19.7,6.20.0)`	unaffected	semver	['*']
`[7.0-rc2,*]`	unaffected	semver	['*']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the squashfs offset range check.
If an update is not available immediately, unmount or disable the use of squashfs filesystems until a patch can be applied.
Regularly review kernel release notes and vendor advisories for updates related to CVE-2026-23388.

Generated by OpenCVE AI on March 26, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3
https://git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713
https://git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2
https://git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383
https://git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c
https://git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0d
https://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23388-9e71@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23388
https://www.cve.org/CVERecord?id=CVE-2026-23388

History

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-788

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1285
References		https://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23388-9e71@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23388 https://www.cve.org/CVERecord?id=CVE-2026-23388
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}` threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-788

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases.
Title		Squashfs: check metadata block offset is within range
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3 https://git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713 https://git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2 https://git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383 https://git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c https://git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0d

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:28:06.224Z

Updated: 2026-03-25T10:28:06.224Z

Reserved: 2026-01-13T15:37:46.008Z

Link: CVE-2026-23388

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:39.280

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23388

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23388 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:47:18Z

Weaknesses

CWE-1285

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object