CVE-2026-53130
Received Received - Intake
Buffer Overflow in Linux Kernel OMFS Filesystem

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440). Later, omfs_make_empty() uses sbi->s_sys_blocksize - OMFS_DIR_START as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer. Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-53130
EUVD
EUVD-2026-38998
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's omfs filesystem code. Specifically, the function omfs_fill_super() properly rejects s_sys_blocksize values that are larger than PAGE_SIZE, but it does not reject values smaller than OMFS_DIR_START (440).

Because s_sys_blocksize is an unsigned 32-bit integer, if a crafted filesystem image sets s_sys_blocksize to a value smaller than OMFS_DIR_START, an unsigned underflow occurs when omfs_make_empty() calculates the length argument for memset(). This causes memset() to overwrite approximately 4 GiB of kernel memory beyond the intended buffer, potentially corrupting kernel memory.

The fix involves adding a lower-bound check in omfs_fill_super() to reject malformed filesystem images before any data is processed.

Impact Analysis

This vulnerability can lead to a large memory overwrite in kernel space, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code with kernel privileges.

Because the vulnerability involves overwriting kernel memory far beyond the intended buffer, it can be exploited by an attacker who can supply a crafted filesystem image, potentially leading to privilege escalation or denial of service.

Mitigation Strategies

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the fix has been applied. The fix involves adding a lower-bound check in the omfs_fill_super() function to reject malformed OMFS filesystem images with s_sys_blocksize values smaller than OMFS_DIR_START, preventing unsafe memory operations.

Avoid mounting untrusted or crafted OMFS filesystem images that could exploit this vulnerability until the kernel is patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53130. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart