Description
In the Linux kernel, the following vulnerability has been resolved:

fs/adfs: validate nzones in adfs_validate_bblk()

Reject ADFS disc records with a zero zone count during boot block
validation, before the disc record is used.

When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
dm[-1], causing an out-of-bounds write before the allocated buffer.

adfs_validate_dr0() already rejects nzones != 1 for old-format
images. Add the equivalent check to adfs_validate_bblk() for
new-format images so that a crafted image with nzones == 0 is
rejected at probe time.

Found by syzkaller.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel processes an ADFS image with a zero zone count during boot block validation. adfs_read_map() passes the zero value to kmalloc_array, which returns a null or zero‑size pointer. Subsequent code then writes to an invalid memory offset, resulting in an out‑of‑bounds write that can corrupt kernel memory or crash the system. Such corruption could provide an attacker with a foothold to elevate privileges or execute arbitrary code if additional steps are taken to exploit the overwritten data.

Affected Systems

Any Linux kernel configuration that supports ADFS file system images is potentially vulnerable. No specific kernel versions are enumerated in the advisory; users should assume that all kernels that have not been updated with the patch that adds the nzones check are affected.

Risk and Exploitability

The vulnerability has a severe potential impact, but the exploitation path requires booting from a crafted ADFS image or loading a manipulated image during system startup. The EPSS score is not available, and the advisory is not listed in KEV. Without a publicly known exploit, the risk is primarily theoretical, yet the out‑of‑bounds write is a classic kernel buffer overflow that could lead to privilege escalation if successfully harnessed.

Generated by OpenCVE AI on June 24, 2026 at 18:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Linux kernel patch that adds the nzones check in adfs_validate_bblk
  • Upgrade to the latest kernel release that contains the fix
  • If upgrading is not immediately possible, prevent booting from any ADFS image with a zero zone count by disabling ADFS support or removing the image

Generated by OpenCVE AI on June 24, 2026 at 18:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/adfs: validate nzones in adfs_validate_bblk() Reject ADFS disc records with a zero zone count during boot block validation, before the disc record is used. When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...) which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], causing an out-of-bounds write before the allocated buffer. adfs_validate_dr0() already rejects nzones != 1 for old-format images. Add the equivalent check to adfs_validate_bblk() for new-format images so that a crafted image with nzones == 0 is rejected at probe time. Found by syzkaller.
Title fs/adfs: validate nzones in adfs_validate_bblk()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:05.592Z

Reserved: 2026-06-09T07:44:35.377Z

Link: CVE-2026-52992

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T18:45:05Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer