Description
In the Linux kernel, the following vulnerability has been resolved:

fs/adfs: validate nzones in adfs_validate_bblk()

Reject ADFS disc records with a zero zone count during boot block
validation, before the disc record is used.

When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
dm[-1], causing an out-of-bounds write before the allocated buffer.

adfs_validate_dr0() already rejects nzones != 1 for old-format
images. Add the equivalent check to adfs_validate_bblk() for
new-format images so that a crafted image with nzones == 0 is
rejected at probe time.

Found by syzkaller.
Published: 2026-06-24
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel processes an ADFS image with nzones set to zero during boot block validation, causing adfs_read_map() to call kmalloc_array with a size of 0, which returns a zero-size pointer. Subsequent code in adfs_map_layout() writes to dm[-1], an out-of-bounds location that corrupts kernel memory or can crash the system. This is a classic buffer overflow (CWE-124) weakness that can potentially be exploited to gain elevated privileges if the attacker can influence the result of the write.

Affected Systems

Any Linux kernel configuration that supports ADFS file system images is potentially vulnerable. The CVE does not specify kernel versions, so all kernels that have not been updated with the patch that adds the nzones check are affected.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector involves booting from a crafted ADFS image or manipulating system startup to load a manipulated image, as the vulnerability triggers during boot block validation. The reported EPSS score of < 1% suggests that exploitation attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. The out‑of‑bounds write could lead to kernel memory corruption, potentially allowing an attacker who can deliver a malicious image to gain elevated privileges or execute arbitrary code if additional exploitation steps succeed.

Generated by OpenCVE AI on June 26, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that adds the nzones check in adfs_validate_bblk
  • Upgrade to the latest kernel release that contains the fix
  • If upgrading is not immediately possible, prevent booting from any ADFS image with a zero zone count by disabling ADFS support or removing the image

Generated by OpenCVE AI on June 26, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 26 Jun 2026 12:15:00 +0000


Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/adfs: validate nzones in adfs_validate_bblk() Reject ADFS disc records with a zero zone count during boot block validation, before the disc record is used. When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...) which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], causing an out-of-bounds write before the allocated buffer. adfs_validate_dr0() already rejects nzones != 1 for old-format images. Add the equivalent check to adfs_validate_bblk() for new-format images so that a crafted image with nzones == 0 is rejected at probe time. Found by syzkaller.
Title fs/adfs: validate nzones in adfs_validate_bblk()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:05.592Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52992

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-52992 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses
  • CWE-124

    Buffer Underwrite ('Buffer Underflow')