CVE-2026-53320
Analyzed Analyzed - Analysis Complete

Integer Overflow in NILFS2 Filesystem Kernel Module

Vulnerability report for CVE-2026-53320, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-06

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. If they differ, the block is considered dead and skipped. However, bd_oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd_oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing the dead block check and calling nilfs_bmap_mark() on a non-existent block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT). Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration. [ryusuke: slightly modified the commit message and comments for accuracy]

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-06
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.2 (inc) to 6.6.141 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.91 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.175 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.209 (exc)
linux linux_kernel From 2.6.30 (inc) to 5.10.258 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's nilfs2 filesystem code, specifically in the function nilfs_ioctl_mark_blocks_dirty(). This function uses a parameter called bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. Normally, bd_oblocknr should never be zero because block 0 stores the primary superblock and is not a valid target for garbage collection.

The issue arises when an ioctl request is corrupted and sets bd_oblocknr to zero. This causes the comparison logic to incorrectly treat the block as valid when the lookup returns an error (-ENOENT) and sets bd_blocknr to zero. As a result, the dead block check is bypassed and the code attempts to mark a non-existent block, leading to a warning triggered by nilfs_btree_do_lookup().

The fix implemented rejects ioctl requests where bd_oblocknr is zero at the start of each iteration, preventing this incorrect behavior.

Detection Guidance

This vulnerability involves the nilfs2 filesystem in the Linux kernel, specifically related to ioctl requests with bd_oblocknr set to 0 causing unexpected behavior and warnings.

Detection can focus on monitoring kernel logs for WARN_ON messages triggered by nilfs_btree_do_lookup() returning -ENOENT, which indicates the problematic condition.

You can check your system logs for such warnings using commands like:

  • dmesg | grep WARN_ON
  • journalctl -k | grep WARN_ON
  • journalctl -k | grep nilfs

Additionally, verifying if your system uses the nilfs2 filesystem and if the kernel version includes the fix can help assess exposure.

Since the vulnerability is triggered by malformed ioctl requests, monitoring for unusual ioctl activity targeting nilfs2 could also be useful, though specific commands for this are not provided.

Impact Analysis

This vulnerability can cause the Linux kernel to attempt operations on non-existent blocks within the nilfs2 filesystem, potentially leading to warnings or errors in the kernel. While the description does not explicitly mention exploitation or direct security impacts such as privilege escalation or data corruption, the improper handling of invalid block numbers could lead to instability or unexpected behavior in the filesystem.

Mitigation Strategies

The vulnerability is fixed by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration in the nilfs_ioctl_mark_blocks_dirty() function.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53320. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart