CVE-2026-52992
Received Received - Intake
Out-of-Bounds Write in Linux Kernel ADFS Filesystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fs/adfs: validate nzones in adfs_validate_bblk() Reject ADFS disc records with a zero zone count during boot block validation, before the disc record is used. When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...) which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], causing an out-of-bounds write before the allocated buffer. adfs_validate_dr0() already rejects nzones != 1 for old-format images. Add the equivalent check to adfs_validate_bblk() for new-format images so that a crafted image with nzones == 0 is rejected at probe time. Found by syzkaller.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-52992
EUVD
EUVD-2026-38860
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ADFS filesystem code, specifically in the validation of the number of zones (nzones) in the disc record during boot block validation.

If the nzones value is zero, the function adfs_read_map() calls kmalloc_array(0, ...), which returns a ZERO_SIZE_PTR. Subsequently, adfs_map_layout() writes to an invalid memory location (dm[-1]), causing an out-of-bounds write before the allocated buffer.

The fix involves adding a validation check in adfs_validate_bblk() to reject disc records with nzones equal to zero for new-format images, preventing the crafted image from being used and avoiding the out-of-bounds write.

Impact Analysis

This vulnerability can lead to an out-of-bounds write in kernel memory when processing a specially crafted ADFS disc record with zero zones.

Such an out-of-bounds write can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges, compromising system security.

Mitigation Strategies

The vulnerability is resolved by validating the 'nzones' field in ADFS disc records during boot block validation to reject records with a zero zone count before use.

To mitigate this vulnerability immediately, ensure your Linux kernel is updated to a version that includes the fix which adds the check in adfs_validate_bblk() to reject crafted images with nzones == 0 at probe time.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart