CVE-2026-46124
Integer Overflow in Linux Kernel ISOFS
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | to 5.10.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's isofs module, specifically in how it handles block numbers from NFS file handles. Functions isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-controlled block number from the NFS file handle to isofs_export_iget(). The only check before reading the block is that the block number is not zero.
An attacker can craft a file handle with a block number that passes the existing checks but causes the server to read any in-range block on the backing device as if it were an iso_directory_record. Although out-of-range blocks return NULL safely, in-range reads can cause unrelated data from adjacent partitions to be interpreted as directory metadata and sent to the NFS client.
The vulnerability affects isofs exported over NFS from loop-mounted images and requires an authenticated NFS peer. The fix involves rejecting block numbers greater than or equal to the total number of zones (s_nzones) to prevent this improper reading.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated NFS client to cause the server to read and expose unintended data from the backing device by supplying a crafted file handle. The server may send unrelated bytes from adjacent partitions as directory metadata to the client.
While there is no memory safety violation or crash, this unintended data exposure could lead to information disclosure of data stored on the device that should not be accessible via the NFS export.
The impact is limited by the narrow deployment surface, as it requires isofs exported over NFS from loop-mounted images and an authenticated NFS peer.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved by adding a check to reject block numbers greater than or equal to the number of zones (s_nzones) in isofs_export_iget().
To mitigate this vulnerability, ensure your Linux kernel is updated to a version that includes this fix.
Since the vulnerability affects isofs exported over NFS from loop-mounted images and requires an authenticated NFS peer, limiting or disabling such exports can reduce exposure.