CVE-2026-23238

Modified Modified - Updated After Analysis

Improper Blocksize Validation in Linux romfs Causes Kernel Crash

Publication date: 2026-03-04

Last updated on: 2026-06-02

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-04

Last Modified

2026-06-02

Generated

2026-06-16

AI Q&A

2026-03-04

EPSS Evaluated

2026-06-15

NVD

CVE-2026-23238

EUVD

EUVD-2026-9410

Affected Vendors & Products

Vendor	Product	Version / Range
linux	linux_kernel	2.6.12
linux	linux_kernel	2.6.12
linux	linux_kernel	2.6.12
linux	linux_kernel	2.6.12
linux	linux_kernel	2.6.12
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	From 5.16 (inc) to 6.1.164 (exc)
linux	linux_kernel	6.19
linux	linux_kernel	6.19
linux	linux_kernel	From 5.11 (inc) to 5.15.201 (exc)
linux	linux_kernel	From 6.2 (inc) to 6.6.127 (exc)
linux	linux_kernel	From 6.7 (inc) to 6.12.74 (exc)
linux	linux_kernel	From 6.13 (inc) to 6.18.13 (exc)
linux	linux_kernel	From 2.6.12.1 (inc) to 5.10.251 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-617	The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

Executive Summary

This vulnerability exists in the Linux kernel's romfs filesystem code. Specifically, the function romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the underlying block device's configuration.

An attacker can trigger this by setting a loop device's block size larger than PAGE_SIZE (for example, 32768) using ioctl(LOOP_SET_BLOCK_SIZE), then mounting a romfs filesystem on that device.

Because sb_set_blocksize() fails when the requested block size is smaller than the device's logical block size, but romfs_fill_super() ignores this failure, the superblock's block size remains incorrectly set to the device's logical block size.

Later, when the kernel tries to perform I/O with this oversized block size, it triggers a kernel BUG, causing a crash or instability.

The fix involves checking the return value of sb_set_blocksize() and failing the mount operation if it returns failure.

Impact Analysis

This vulnerability can cause a kernel BUG and crash the system when mounting a romfs filesystem on a specially configured loop device.

Such a crash can lead to denial of service (DoS) by making the system unstable or unusable.

If an attacker has the ability to create or configure loop devices and mount filesystems, they could exploit this to disrupt system availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves mounting a romfs filesystem on a loop device with an incompatible block size, which can trigger a kernel BUG. Detection would involve checking for improper loop device block size settings and monitoring kernel logs for BUG messages related to fs/buffer.c:1582.

Check loop device block size settings using: lsblk -o NAME,ROTA,PHY-SEC,LOG-SEC
Verify if any loop devices have block sizes larger than PAGE_SIZE (usually 4096 bytes).
Monitor kernel logs for BUG messages with: dmesg | grep 'kernel BUG at fs/buffer.c:1582'
Check for mounts of romfs filesystems on loop devices with: mount | grep romfs

Mitigation Strategies

To mitigate this vulnerability, ensure that loop devices are not configured with block sizes larger than PAGE_SIZE before mounting romfs filesystems.

Additionally, apply the kernel patch that fixes the issue by checking the return value of sb_set_blocksize() and failing the mount if the block size is incompatible.

Avoid mounting romfs filesystems on loop devices with incompatible block sizes until the fix is applied.

Hi! I’m here to help you understand CVE-2026-23238. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-23238

Improper Blocksize Validation in Linux romfs Causes Kernel Crash

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart