CVE-2026-45991
Analyzed Analyzed - Analysis Complete
Heap Out-of-Bounds Write in Linux Kernel UDF Filesystem

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: udf: fix partition descriptor append bookkeeping Mounting a crafted UDF image with repeated partition descriptors can trigger a heap out-of-bounds write in part_descs_loc[]. handle_partition_descriptor() deduplicates entries by partition number, but appended slots never record partnum. As a result duplicate Partition Descriptors are appended repeatedly and num_part_descs keeps growing. Once the table is full, the growth path still sizes the allocation from partnum even though inserts are indexed by num_part_descs. If partnum is already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep the old capacity and the next append writes past the end of the table. Store partnum in the appended slot and size growth from the next append count so deduplication and capacity tracking follow the same model.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45991
EUVD
EUVD-2026-32287
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.19
linux linux_kernel 4.19
linux linux_kernel 4.19
linux linux_kernel 4.19
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 4.18.7 (inc) to 4.19 (exc)
linux linux_kernel From 4.19.1 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 7.0.4 (exc)
linux linux_kernel 4.19
linux linux_kernel 4.19
linux linux_kernel 4.19
linux linux_kernel 4.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's handling of UDF (Universal Disk Format) images. Specifically, when mounting a crafted UDF image containing repeated partition descriptors, a heap out-of-bounds write can occur in the part_descs_loc[] array.

The function handle_partition_descriptor() attempts to deduplicate partition descriptors by partition number, but the appended slots do not record the partition number (partnum). This causes duplicate partition descriptors to be appended repeatedly, increasing the count num_part_descs indefinitely.

When the table is full, the allocation size is still based on partnum, but inserts are indexed by num_part_descs. If partnum is aligned to a certain step size, the allocation capacity does not increase, leading to writes beyond the end of the table (heap out-of-bounds write).

The fix involves storing the partition number in the appended slot and sizing growth based on the next append count, ensuring deduplication and capacity tracking are consistent.

Impact Analysis

This vulnerability can lead to a heap out-of-bounds write when mounting a maliciously crafted UDF image with repeated partition descriptors.

Such a heap out-of-bounds write can cause memory corruption, which may result in system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Therefore, an attacker could exploit this vulnerability to compromise the security and stability of a system running the affected Linux kernel.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45991. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart