CVE-2026-46303

Received Received - Intake

Buffer Overflow in Linux Kernel ISOFS Rock Ridge Handling

Publication date: 2026-06-08

Last updated on: 2026-06-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: isofs: validate Rock Ridge CE continuation extent against volume size rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the mounted ISO 9660 volume. commit e595447e177b ("[PATCH] rock.c: handle corrupted directories") added cont_offset and cont_size rejection for the CE continuation but did not validate the extent block number itself. commit f54e18f1b831 ("isofs: Fix infinite looping over CE entries") later capped the CE chain length at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked. With a crafted ISO mounted via udisks2 (desktop optical auto-mount) or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at an out-of-range block or at blocks belonging to an adjacent filesystem on the same block device. sb_bread() on an out-of-range block returns NULL cleanly via the block layer EIO path, so there is no memory-safety violation. For in-range reads of adjacent- filesystem data, the CE buffer is parsed as Rock Ridge records and only the text of SL sub-records reaches userspace through readlink(), which makes the info-leak channel narrow and difficult to exploit; still, rejecting the malformed CE outright matches the rejection shape already present in the same function for cont_offset and cont_size. Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next to the existing offset/size rejection, printing the same corrupted-directory-entry notice.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-08

Last Modified

2026-06-14

Generated

2026-06-29

AI Q&A

2026-06-08

EPSS Evaluated

2026-06-27

NVD

CVE-2026-46303

EUVD

EUVD-2026-35168

Affected Vendors & Products

Vendor	Product	Version / Range
linux_kernel	isofs	*
linux	linux_kernel	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-UNKNOWN

Attack-Flow Graph

Executive Summary

This vulnerability exists in the Linux kernel's ISO 9660 filesystem implementation, specifically in the handling of Rock Ridge CE (Continuation Extent) records. The function rock_continue() reads a block number from the CE record and passes it to sb_bread() without verifying that the block number is within the bounds of the mounted ISO 9660 volume.

Because the block number is unchecked, a specially crafted ISO image can cause the system to read blocks that are out-of-range or belong to an adjacent filesystem on the same block device. While out-of-range reads return NULL safely, in-range reads of adjacent filesystem data can leak some information through the parsing of SL (symbolic link) sub-records, which can be accessed by userspace via readlink().

The vulnerability was addressed by adding a bounds check on the block number to ensure it is within the volume size, rejecting malformed CE entries and preventing potential information leaks.

Impact Analysis

This vulnerability can lead to a narrow information leak where data from adjacent filesystems on the same block device might be exposed to userspace processes that mount a crafted ISO image. Although it does not cause memory safety violations or allow arbitrary code execution, it can reveal some filesystem metadata or symbolic link text that should not be accessible.

The impact is limited due to the narrow scope of the leaked information and the requirement for mounting a maliciously crafted ISO image with appropriate privileges (such as via udisks2 or CAP_SYS_ADMIN).

Mitigation Strategies

The vulnerability is resolved by validating the Rock Ridge CE continuation extent against the volume size in the Linux kernel's isofs module.

To mitigate this vulnerability immediately, ensure your Linux kernel is updated to a version that includes the patches referenced (commits e595447e177b and f54e18f1b831) which add proper bounds checking for the CE continuation extent.

Avoid mounting untrusted or crafted ISO 9660 images, especially via udisks2 or with CAP_SYS_ADMIN privileges, until the kernel is patched.

Compliance Impact

The vulnerability allows a narrow information leak through malformed Rock Ridge CE continuation extents, potentially exposing some filesystem metadata via readlink() when mounting crafted ISO images. However, the leak is limited to text from SL sub-records and is difficult to exploit.

There is no explicit information in the provided context about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the Linux kernel's isofs module improperly validating Rock Ridge CE continuation extents, which can lead to reading out-of-range blocks when mounting crafted ISO images.

Detection would primarily involve monitoring or inspecting mounted ISO 9660 filesystems for suspicious or malformed Rock Ridge CE entries, especially those that might cause infinite loops or reference out-of-range blocks.

Since the vulnerability is triggered by mounting crafted ISO images, one practical approach is to audit recently mounted ISO filesystems and check kernel logs for messages related to corrupted directory entries or errors from the isofs module.

Check kernel logs for corrupted-directory-entry notices related to isofs, e.g., using: dmesg | grep -i 'corrupted-directory-entry'
List currently mounted ISO filesystems: mount | grep iso9660
Inspect suspicious ISO files before mounting using tools like isoinfo or mount them in a controlled environment.

There are no specific commands or network detection signatures provided in the available information.

Hi! I’m here to help you understand CVE-2026-46303. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70