In the Linux kernel, a flaw in the handling of repeated UDF (Universal Disk Format) partition descriptors can trigger a heap out‑of‑bounds write. A crafted image that mounts with duplicate descriptors causes the handle_partition_descriptor function to omit storing the partition number for appended slots. This omission lets the descriptor table grow unchecked, and when the table reaches its allocated capacity, the growth logic miscalculates the new size, allowing subsequent writes to exceed the bounds of the allocated memory and corrupt adjacent heap objects. The resulting memory corruption could damage kernel data structures and, as is typical with such out‑of‑bounds writes, may potentially lead to arbitrary code execution or denial of service. The weakness maps to CWE‑787.

All releases of the Linux kernel that do not contain the patch that records partnum in appended slots and adjusts the growth calculation are affected. This includes most distribution kernels shipped before the fix, regardless of vendor. The vulnerability manifests only when UDF support is enabled and a UDF image is mounted; disabling the UDF module or blocking UDF mounts removes the attack surface.

The EPSS score of less than 1% combined with the fact that it is not listed in CISA’s KEV catalog indicates no widespread exploitation has been reported. An attacker would need to supply a malicious UDF image and mount it on a target system with UDF support active, which could be local or remote if a network service mounts UDFs. While the nature of the memory corruption implies privilege escalation or denial of service are likely, this conclusion is inferred and no public exploits have been documented. The CVSS score of 7.8 indicates high severity.