CVE-2026-46124 - Vulnerability Details

- isofs: validate block number from NFS file handle in isofs_export_iget

Description

In the Linux kernel, the following vulnerability has been resolved:

isofs: validate block number from NFS file handle in isofs_export_iget

isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-
controlled block number (ifid->block or ifid->parent_block) from
the NFS file handle to isofs_export_iget(), which only rejects
block == 0 before calling isofs_iget() and ultimately sb_bread().
A crafted file handle with fh_len sufficient to pass the check
added by commit 0405d4b63d08 ("isofs: Prevent the use of too small
fid") can still drive the server to read any in-range block on the
backing device as if it were an iso_directory_record. That earlier
fix was assigned CVE-2025-37780.

sb_bread() on an out-of-range block returns NULL cleanly via the
EIO path, so there is no memory-safety violation. For in-range
reads of adjacent-partition data on the same block device, the
unrelated bytes end up in iso_inode_info fields that reach the NFS
client as dentry metadata. The deployment surface (isofs exported
over NFS from loop-mounted images) is narrow and requires an
authenticated NFS peer, but the malformed-file-handle class is
reportable as hardening next to the existing CVE-2025-37780 fix.

Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so
the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()
call sites with a single line.

Published: 2026-05-28

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux kernel’s isofs implementation allows an attacker to supply a crafted NFS file handle containing an arbitrary block number. The kernel fails to enforce bounds validation beyond a check for block==0, so the exported NFS server can read any block that exists on the backing device as if it were an ISO directory record. The read is performed through sb_bread, which returns NULL cleanly for out-of-range blocks; however, for in-range reads that cross partition boundaries the data returned can contain unrelated bytes from adjacent partitions. These bytes are propagated back to the NFS client as dentry metadata, providing a covert channel for leaking data. The vulnerability does not lead to a memory safety issue or code execution; its impact is limited to information disclosure to an authenticated NFS peer. Because the surface area is narrow – an authenticated NFS client interacting with loop-mounted ISO images – the risk is low to moderate, but the flaw is considered hardening related and warrants remediation.

Affected Systems

Linux kernel (all versions prior to the fix that added bounds validation in isofs_export_iget). The vulnerability affects systems running a kernel that includes the isofs filesystem and exports it over NFS using loop-mounted ISO images. No specific release series is listed; all affected kernel releases should be updated to a patched version once available.

Risk and Exploitability

The exploit requires an authenticated NFS client manipulating file handles. No publicly available exploitation path involves attacker privileges beyond that, and the EPSS score is currently not available. The flaw is not listed in CISA’s KEV catalog, and no memory corruption or direct code execution is possible. The CVSS score is not supplied; the consequence remains information disclosure of partition data rather than system compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`952e7a7e317f126d0a2b879fc531b716932d5ffa`	affected	< bb0988ed4f2e26d59bbb58f644cb3a55b7521e21
`56dfffea9fd3be0b3795a9ca6401e133a8427e0b`	affected	< 0a1af74ae2177bda3aee0837a0546309aa539d0d
`0405d4b63d082861f4eaff9d39c78ee9dc34f845`	affected	< afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b
`0405d4b63d082861f4eaff9d39c78ee9dc34f845`	affected	< 4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6
`0405d4b63d082861f4eaff9d39c78ee9dc34f845`	affected	< 24376458138387fb251e782e624c7776e9826796
`ee01a309ebf598be1ff8174901ed6e91619f1749`	affected	—
`5e7de55602c61c8ff28db075cc49c8dd6989d7e0`	affected	—
`63d5a3e207bf315a32c7d16de6c89753a759f95a`	affected	—
`0fdafdaef796816a9ed0fd7ac812932d569d9beb`	affected	—
`007124c896e7d4614ac1f6bd4dedb975c35a2a8e`	affected	—
`6.6.88`	affected	< 6.6.140
`6.12.25`	affected	< 6.12.88
`5.4.293`	affected	< 5.5
`5.10.237`	affected	< 5.11
`5.15.181`	affected	< 5.16
`6.1.135`	affected	< 6.2
`6.14.4`	affected	< 6.15

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.6.140`	unaffected	≤ 6.6.*
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1-rc2`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the kernel patch that adds a proper bounds check in isofs_export_iget to reject block numbers greater than or equal to ISOFS_SB(sb)->s_nzones.
If no patch exists, disable or remove isofs exports over NFS for loop-mounted images to eliminate the attack surface.
Restrict NFS client access to authenticated users only and monitor for anomalous file handle requests.

Generated by OpenCVE AI on May 28, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0a1af74ae2177bda3aee0837a0546309aa539d0d
https://git.kernel.org/stable/c/24376458138387fb251e782e624c7776e9826796
https://git.kernel.org/stable/c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6
https://git.kernel.org/stable/c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b
https://git.kernel.org/stable/c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21

History

Thu, 28 May 2026 11:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20 CWE-200

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.
Title		isofs: validate block number from NFS file handle in isofs_export_iget
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0a1af74ae2177bda3aee0837a0546309aa539d0d https://git.kernel.org/stable/c/24376458138387fb251e782e624c7776e9826796 https://git.kernel.org/stable/c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6 https://git.kernel.org/stable/c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b https://git.kernel.org/stable/c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:35:38.887Z

Updated: 2026-05-28T09:35:38.887Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46124

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-28T10:16:27.920

Modified: 2026-05-28T10:16:27.920

Link: CVE-2026-46124

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T11:30:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object