CVE-2026-52992
Analyzed Analyzed - Analysis Complete

Out-of-Bounds Write in Linux Kernel ADFS Filesystem

Vulnerability report for CVE-2026-52992, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-24

Last updated on: 2026-07-14

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: fs/adfs: validate nzones in adfs_validate_bblk() Reject ADFS disc records with a zero zone count during boot block validation, before the disc record is used. When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...) which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], causing an out-of-bounds write before the allocated buffer. adfs_validate_dr0() already rejects nzones != 1 for old-format images. Add the equivalent check to adfs_validate_bblk() for new-format images so that a crafted image with nzones == 0 is rejected at probe time. Found by syzkaller.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-24
Last Modified
2026-07-14
Generated
2026-07-15
AI Q&A
2026-06-24
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 5.6 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's ADFS filesystem code, specifically in the validation of the number of zones (nzones) in the disc record during boot block validation.

If the nzones value is zero, the function adfs_read_map() calls kmalloc_array(0, ...), which returns a ZERO_SIZE_PTR. Subsequently, adfs_map_layout() writes to an invalid memory location (dm[-1]), causing an out-of-bounds write before the allocated buffer.

The fix involves adding a validation check in adfs_validate_bblk() to reject disc records with nzones equal to zero for new-format images, preventing the crafted image from being used and avoiding the out-of-bounds write.

Impact Analysis

This vulnerability can lead to an out-of-bounds write in kernel memory when processing a specially crafted ADFS disc record with zero zones.

Such an out-of-bounds write can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges, compromising system security.

Mitigation Strategies

The vulnerability is resolved by validating the 'nzones' field in ADFS disc records during boot block validation to reject records with a zero zone count before use.

To mitigate this vulnerability immediately, ensure your Linux kernel is updated to a version that includes the fix which adds the check in adfs_validate_bblk() to reject crafted images with nzones == 0 at probe time.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart