CVE-2026-46303
Received Received - Intake
Buffer Overflow in Linux Kernel ISOFS Rock Ridge Handling

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: isofs: validate Rock Ridge CE continuation extent against volume size rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the mounted ISO 9660 volume. commit e595447e177b ("[PATCH] rock.c: handle corrupted directories") added cont_offset and cont_size rejection for the CE continuation but did not validate the extent block number itself. commit f54e18f1b831 ("isofs: Fix infinite looping over CE entries") later capped the CE chain length at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked. With a crafted ISO mounted via udisks2 (desktop optical auto-mount) or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at an out-of-range block or at blocks belonging to an adjacent filesystem on the same block device. sb_bread() on an out-of-range block returns NULL cleanly via the block layer EIO path, so there is no memory-safety violation. For in-range reads of adjacent- filesystem data, the CE buffer is parsed as Rock Ridge records and only the text of SL sub-records reaches userspace through readlink(), which makes the info-leak channel narrow and difficult to exploit; still, rejecting the malformed CE outright matches the rejection shape already present in the same function for cont_offset and cont_size. Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next to the existing offset/size rejection, printing the same corrupted-directory-entry notice.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-46303
EUVD
EUVD-2026-35168
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel isofs *
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows a narrow information leak through malformed Rock Ridge CE continuation extents, potentially exposing some filesystem metadata via readlink() when mounting crafted ISO images. However, the leak is limited to text from SL sub-records and is difficult to exploit.

There is no explicit information in the provided context about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the Linux kernel's ISO 9660 filesystem implementation, specifically in the handling of Rock Ridge CE (Continuation Extent) records. The function rock_continue() reads a block number from the CE record and passes it to sb_bread() without verifying that the block number is within the bounds of the mounted ISO 9660 volume.

Because the block number is unchecked, a specially crafted ISO image can cause the system to read blocks that are out-of-range or belong to an adjacent filesystem on the same block device. While out-of-range reads return NULL safely, in-range reads of adjacent filesystem data can leak some information through the parsing of SL (symbolic link) sub-records, which can be accessed by userspace via readlink().

The vulnerability was addressed by adding a bounds check on the block number to ensure it is within the volume size, rejecting malformed CE entries and preventing potential information leaks.

Impact Analysis

This vulnerability can lead to a narrow information leak where data from adjacent filesystems on the same block device might be exposed to userspace processes that mount a crafted ISO image. Although it does not cause memory safety violations or allow arbitrary code execution, it can reveal some filesystem metadata or symbolic link text that should not be accessible.

The impact is limited due to the narrow scope of the leaked information and the requirement for mounting a maliciously crafted ISO image with appropriate privileges (such as via udisks2 or CAP_SYS_ADMIN).

Mitigation Strategies

The vulnerability is resolved by validating the Rock Ridge CE continuation extent against the volume size in the Linux kernel's isofs module.

To mitigate this vulnerability immediately, ensure your Linux kernel is updated to a version that includes the patches referenced (commits e595447e177b and f54e18f1b831) which add proper bounds checking for the CE continuation extent.

Avoid mounting untrusted or crafted ISO 9660 images, especially via udisks2 or with CAP_SYS_ADMIN privileges, until the kernel is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46303. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart