Description
In the Linux kernel, the following vulnerability has been resolved:

fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),
but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).

Later, omfs_make_empty() uses

sbi->s_sys_blocksize - OMFS_DIR_START

as the length argument to memset(). Since s_sys_blocksize is u32,
a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes
an unsigned underflow there, wrapping to a value near 2^32. That drives
a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel
memory far beyond the backing block buffer.

Add the corresponding lower-bound check alongside the existing upper-bound
check in omfs_fill_super(), so that malformed images are rejected during
superblock validation before any filesystem data is processed.
Published: 2026-06-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The omfs filesystem driver in the Linux kernel fails to reject superblock values below the directory start offset. When a malicious filesystem image specifies a superblock block‑size smaller than OMFS_DIR_START, the driver performs an unsigned underflow. The resulting large length argument to a memset call causes the kernel to write far beyond the intended buffer, overwriting arbitrary kernel memory. This overwrite could be leveraged to execute code with kernel privileges.

Affected Systems

All Linux kernel builds that still contain the omfs module and lack the lower‐bound check introduced by the patch. In particular, any system using the older omfs implementation before the commit that added the check is vulnerable. The problem resides in the omfs filesystem driver and applies to kernel kernels that expose omfs support for the operating system.

Risk and Exploitability

Because the vulnerability enables arbitrary kernel memory writes, its potential impact is high: an attacker could gain full control over the affected system. The CVSS score is 7.8, indicating high severity. No public exploits are currently listed, and the EPSS score of 0.0018 indicates a very low exploitation probability. The CVE is not in the CISA KEV catalog. Nevertheless, the severity of a successful attack would be catastrophic, and the lack of mitigation in older kernels places systems at elevated risk.

Generated by OpenCVE AI on June 28, 2026 at 12:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure the kernel is updated to a release that includes the omfs lower‑bound check commit.
  • If the kernel cannot be upgraded, rebuild the kernel with the omfs module disabled or apply the patch manually to the source.
  • Verify that the system does not mount or use the omfs filesystem; disable it in the /etc/fstab or kernel configuration if it is not required.

Generated by OpenCVE AI on June 28, 2026 at 12:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Sun, 28 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-680

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Thu, 25 Jun 2026 00:15:00 +0000


Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-680

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440). Later, omfs_make_empty() uses sbi->s_sys_blocksize - OMFS_DIR_START as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer. Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed.
Title fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:22.273Z

Reserved: 2026-06-09T07:44:35.386Z

Link: CVE-2026-53130

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53130 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T13:00:13Z

Weaknesses