Description
In the Linux kernel, the following vulnerability has been resolved:

nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()

nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks
by comparing it with the current block number bd_blocknr. If they differ,
the block is considered dead and skipped.

However, bd_oblocknr should never be 0 since block 0 typically stores the
primary superblock and is never a valid GC target block. A corrupted ioctl
request with bd_oblocknr set to 0 causes the comparison to incorrectly
match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing
the dead block check and calling nilfs_bmap_mark() on a non-existent
block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering
the WARN_ON(ret == -ENOENT).

Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the
beginning of each iteration.

[ryusuke: slightly modified the commit message and comments for accuracy]
Published: 2026-06-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the nilfs2 filesystem’s io ctl interface for marking blocks for garbage collection. A malformed request that sets the block descriptor field bd_oblocknr to zero bypasses the dead‑block check, causing nilfs_bmap_mark() to be invoked on a non‑existent block. The lookup then fails with –ENOENT, which in turn triggers WARN_ON. The result is kernel warnings and a risk of instability, potentially leading to service interruption if the error propagates further.

Affected Systems

Linux kernels that ship the nilfs2 filesystem and do not yet include the patch that rejects a zero bd_oblocknr value. Any system running a nilfs2 enabled filesystem with the vulnerable io ctl path, regardless of kernel version, is affected until the commit that adds the rejection logic is applied.

Risk and Exploitability

The EPSS score of < 1% indicates a very low probability of exploitation and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must be able to launch a local ioctl request against a nilfs2 filesystem, implying privileged access or a local compromise. The likely attack vector is a privileged local user executing a crafted ioctl. No information in the CVE data explicitly states remote exploitation or non‑privileged access, so these conclusions are inferred. The impact remains confined to the local node and manifests as kernel warning messages and potential instability, rather than a crash.

Generated by OpenCVE AI on June 29, 2026 at 17:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the check rejecting zero bd_oblocknr.
  • If a kernel update is not possible, disable or remove the nilfs2 filesystem and migrate data to a supported filesystem.
  • Enable kernel log monitoring to detect WARN_ON messages from nilfs_btree_do_lookup and respond promptly.

Generated by OpenCVE AI on June 29, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Mon, 29 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Mon, 29 Jun 2026 12:15:00 +0000


Fri, 26 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. If they differ, the block is considered dead and skipped. However, bd_oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd_oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing the dead block check and calling nilfs_bmap_mark() on a non-existent block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT). Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration. [ryusuke: slightly modified the commit message and comments for accuracy]
Title nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:41:11.932Z

Reserved: 2026-06-09T07:44:35.398Z

Link: CVE-2026-53320

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity :

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53320 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T17:30:06Z

Weaknesses
  • CWE-839

    Numeric Range Comparison Without Minimum Check