CVE-2026-53320
Received Received - Intake
Integer Overflow in NILFS2 Filesystem Kernel Module

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. If they differ, the block is considered dead and skipped. However, bd_oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd_oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing the dead block check and calling nilfs_bmap_mark() on a non-existent block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT). Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration. [ryusuke: slightly modified the commit message and comments for accuracy]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53320
EUVD
EUVD-2026-39855
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can cause the Linux kernel to attempt operations on non-existent blocks within the nilfs2 filesystem, potentially leading to warnings or errors in the kernel. While the description does not explicitly mention exploitation or direct security impacts such as privilege escalation or data corruption, the improper handling of invalid block numbers could lead to instability or unexpected behavior in the filesystem.

Mitigation Strategies

The vulnerability is fixed by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration in the nilfs_ioctl_mark_blocks_dirty() function.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Executive Summary

This vulnerability exists in the Linux kernel's nilfs2 filesystem code, specifically in the function nilfs_ioctl_mark_blocks_dirty(). This function uses a parameter called bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. Normally, bd_oblocknr should never be zero because block 0 stores the primary superblock and is not a valid target for garbage collection.

The issue arises when an ioctl request is corrupted and sets bd_oblocknr to zero. This causes the comparison logic to incorrectly treat the block as valid when the lookup returns an error (-ENOENT) and sets bd_blocknr to zero. As a result, the dead block check is bypassed and the code attempts to mark a non-existent block, leading to a warning triggered by nilfs_btree_do_lookup().

The fix implemented rejects ioctl requests where bd_oblocknr is zero at the start of each iteration, preventing this incorrect behavior.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart