CVE-2026-13595
Received Received - Intake

Heap Use-After-Free in util-linux libblkid

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Red Hat, Inc.

Description
A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13595
EUVD
EUVD-2026-40053

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
util-linux libblkid *
util-linux util-linux to 3.13.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability in the libblkid library could lead to limited information disclosure or denial of service when exploited. Since libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events, an attacker could potentially gain unauthorized access to system information or disrupt system availability.

Such impacts may affect compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and system availability. Information disclosure could lead to unauthorized access to personal or sensitive data, violating confidentiality requirements. Denial of service could impact system availability, which is also a compliance concern.

However, the provided context does not explicitly mention compliance implications or specific regulatory impacts.

Executive Summary

This vulnerability is a heap use-after-free flaw in the libblkid library of util-linux. It occurs during nested partition probing when certain partition probers (BSD, Minix, Solaris x86, and UnixWare) cache a raw pointer to a parent partition entry in a dynamically allocated array. When this array is resized (reallocated), the cached pointer becomes stale (dangling), leading to a use-after-free read.

An attacker can exploit this by presenting a specially crafted block device image, such as via USB insertion or a loop-mounted disk image. Since libblkid is invoked automatically by udev or udisks with root privileges on block-device hot-plug events, the flaw can be triggered without user interaction.

Impact Analysis

Exploitation of this vulnerability can lead to limited information disclosure or denial of service. Because libblkid runs with root privileges during block-device hot-plug events, an attacker could potentially cause memory corruption or crashes.

In some cases, as indicated by the detailed bug report, this flaw could be leveraged to achieve arbitrary code execution or other serious security impacts.

Detection Guidance

This vulnerability can be detected by using the standard blkid command with the partition probing option, which triggers the nested partition probing functionality where the flaw exists.

Specifically, running the command blkid -p on a crafted disk image that mimics the conditions described (such as a malicious 2 MiB DOS/MBR disk image with BSD-typed primary partitions and an md-raid 0.90 superblock) can trigger the vulnerability and help detect its presence.

Mitigation Strategies

To mitigate this vulnerability, you should update the util-linux package to a version that includes the upstream fix committed to the util-linux repository.

The fix changes the internal storage mechanism in libblkid to prevent stale pointers during nested partition probing, eliminating the use-after-free condition.

Additionally, avoid inserting or mounting untrusted block device images (such as USB devices or loop-mounted disk images) until the patch is applied, as the vulnerability can be triggered automatically by udev/udisks running as root.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart