CVE-2026-23238
Improper Blocksize Validation in Linux romfs Causes Kernel Crash
Publication date: 2026-03-04
Last updated on: 2026-03-17
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 2.6.12 |
| linux | linux_kernel | 2.6.12 |
| linux | linux_kernel | 2.6.12 |
| linux | linux_kernel | 2.6.12 |
| linux | linux_kernel | 2.6.12 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.16 (inc) to 6.1.164 (exc) |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 5.11 (inc) to 5.15.201 (exc) |
| linux | linux_kernel | From 6.2 (inc) to 6.6.127 (exc) |
| linux | linux_kernel | From 6.7 (inc) to 6.12.74 (exc) |
| linux | linux_kernel | From 6.13 (inc) to 6.18.13 (exc) |
| linux | linux_kernel | From 2.6.12.1 (inc) to 5.10.251 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's romfs filesystem code. Specifically, the function romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the underlying block device's configuration.
An attacker can trigger this by setting a loop device's block size larger than PAGE_SIZE (for example, 32768) using ioctl(LOOP_SET_BLOCK_SIZE), then mounting a romfs filesystem on that device.
Because sb_set_blocksize() fails when the requested block size is smaller than the device's logical block size, but romfs_fill_super() ignores this failure, the superblock's block size remains incorrectly set to the device's logical block size.
Later, when the kernel tries to perform I/O with this oversized block size, it triggers a kernel BUG, causing a crash or instability.
The fix involves checking the return value of sb_set_blocksize() and failing the mount operation if it returns failure.
How can this vulnerability impact me? :
This vulnerability can cause a kernel BUG and crash the system when mounting a romfs filesystem on a specially configured loop device.
Such a crash can lead to denial of service (DoS) by making the system unstable or unusable.
If an attacker has the ability to create or configure loop devices and mount filesystems, they could exploit this to disrupt system availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves mounting a romfs filesystem on a loop device with an incompatible block size, which can trigger a kernel BUG. Detection would involve checking for improper loop device block size settings and monitoring kernel logs for BUG messages related to fs/buffer.c:1582.
- Check loop device block size settings using: lsblk -o NAME,ROTA,PHY-SEC,LOG-SEC
- Verify if any loop devices have block sizes larger than PAGE_SIZE (usually 4096 bytes).
- Monitor kernel logs for BUG messages with: dmesg | grep 'kernel BUG at fs/buffer.c:1582'
- Check for mounts of romfs filesystems on loop devices with: mount | grep romfs
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that loop devices are not configured with block sizes larger than PAGE_SIZE before mounting romfs filesystems.
Additionally, apply the kernel patch that fixes the issue by checking the return value of sb_set_blocksize() and failing the mount if the block size is incompatible.
Avoid mounting romfs filesystems on loop devices with incompatible block sizes until the fix is applied.