CVE-2026-46124
Analyzed
Analyzed - Analysis Complete
Integer Overflow in Linux Kernel ISOFS
Vulnerability report for CVE-2026-46124, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-28
Last updated on: 2026-06-24
Assigner: kernel.org
Description
Description
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate block number from NFS file handle in isofs_export_iget
isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-
controlled block number (ifid->block or ifid->parent_block) from
the NFS file handle to isofs_export_iget(), which only rejects
block == 0 before calling isofs_iget() and ultimately sb_bread().
A crafted file handle with fh_len sufficient to pass the check
added by commit 0405d4b63d08 ("isofs: Prevent the use of too small
fid") can still drive the server to read any in-range block on the
backing device as if it were an iso_directory_record. That earlier
fix was assigned CVE-2025-37780.
sb_bread() on an out-of-range block returns NULL cleanly via the
EIO path, so there is no memory-safety violation. For in-range
reads of adjacent-partition data on the same block device, the
unrelated bytes end up in iso_inode_info fields that reach the NFS
client as dentry metadata. The deployment surface (isofs exported
over NFS from loop-mounted images) is narrow and requires an
authenticated NFS peer, but the malformed-file-handle class is
reportable as hardening next to the existing CVE-2025-37780 fix.
Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so
the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()
call sites with a single line.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | From 6.14.4 (inc) to 6.15 (exc) |
| linux | linux_kernel | From 5.4.293 (inc) to 5.5 (exc) |
| linux | linux_kernel | 7.1 |
| linux | linux_kernel | From 6.19 (inc) to 7.0.7 (exc) |
| linux | linux_kernel | From 5.10.237 (inc) to 5.10.258 (exc) |
| linux | linux_kernel | From 5.15.181 (inc) to 5.15.209 (exc) |
| linux | linux_kernel | From 6.1.135 (inc) to 6.1.175 (exc) |
| linux | linux_kernel | From 6.6.88 (inc) to 6.6.140 (exc) |
| linux | linux_kernel | From 6.12.25 (inc) to 6.12.88 (exc) |
| linux | linux_kernel | From 6.15.1 (inc) to 6.18.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |