CVE-2026-23388
Received Received - Intake
Out-of-Bounds Read in Linux Kernel Squashfs Metadata Handling

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23388
EUVD
EUVD-2026-15388
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.29
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.77 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 2.6.29.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's Squashfs filesystem implementation. It is caused by a corrupted index look-up table that produces a negative metadata block offset. This negative offset is then passed to the function squashfs_copy_data via squashfs_read_metadata, leading to an out-of-bounds memory access. The issue results in a general protection fault, which can cause system instability or crashes. The vulnerability has been fixed by adding a check in squashfs_read_metadata to ensure the offset is within a valid range.

Impact Analysis

This vulnerability can lead to a general protection fault in the Linux kernel, causing crashes or instability in systems using the Squashfs filesystem. An attacker might exploit this to cause denial of service by triggering out-of-bounds memory access, potentially disrupting system operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23388. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart