CVE-2026-46303 (GCVE-0-2026-46303)
Vulnerability from cvelistv5 – Published: 2026-06-08 15:46 – Updated: 2026-06-14 18:07
VLAI
Title
isofs: validate Rock Ridge CE continuation extent against volume size
Summary
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate Rock Ridge CE continuation extent against volume size
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e177b
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b831 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.
With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.
Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.
Severity
8.2 (High)
Assigner
References
8 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Linux | Linux |
Affected:
f54e18f1b831c92f6512d2eedb224cd63d607d3d , < 8356fb821016797f5677cbeee5ddc0d32a95b4be
(git)
Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < d582e12378bc1637f337622feef762f53c43fd57 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < c9b37c8b73f6368e4750e5ccb0632c380b43c6e5 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < 22b36fa081f38ab397c7697f9d539211b51a0cfc (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < e69da8eeab74b4f4505024c38a17bce060fe7df8 (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < ef048470c90bc8c1b8318bb2ce329da9ef64b9fe (git) Affected: f54e18f1b831c92f6512d2eedb224cd63d607d3d , < a36d990f591320e9dd379ab30063ebfe91d47e1f (git) Affected: 08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56 (git) Affected: 212c4d33ca83e2144064fe9c2911607fbed5386f (git) Affected: 96e44adce250199ec9b2b928be66365779ff1b59 (git) Affected: 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 (git) Affected: fbce0d7dc8965c9fb8d411862040239d4a768c71 (git) Affected: 8190393a88f2b0321263a54f2a9eb5a2aa43be7e (git) Affected: 486aa789eadcf44ed87f972b209299c516454693 (git) Affected: b6d20edb6e7cedb4eedb9e0193d20dd488ebae84 (git) Affected: 2.6.32.66 , < 2.6.33 (semver) Affected: 3.2.67 , < 3.3 (semver) Affected: 3.4.107 , < 3.5 (semver) Affected: 3.10.64 , < 3.11 (semver) Affected: 3.12.36 , < 3.13 (semver) Affected: 3.14.28 , < 3.15 (semver) Affected: 3.17.8 , < 3.18 (semver) Affected: 3.18.2 , < 3.19 (semver) |
|
| Linux | Linux |
Affected:
3.19
Unaffected: 0 , < 3.19 (semver) Unaffected: 5.10.258 , ≤ 5.10.* (semver) Unaffected: 5.15.209 , ≤ 5.15.* (semver) Unaffected: 6.1.175 , ≤ 6.1.* (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 6.18.30 , ≤ 6.18.* (semver) Unaffected: 7.0.7 , ≤ 7.0.* (semver) Unaffected: 7.1 , ≤ * (original_commit_for_fix) |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"fs/isofs/rock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "8356fb821016797f5677cbeee5ddc0d32a95b4be",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "d582e12378bc1637f337622feef762f53c43fd57",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "c9b37c8b73f6368e4750e5ccb0632c380b43c6e5",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "22b36fa081f38ab397c7697f9d539211b51a0cfc",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "e69da8eeab74b4f4505024c38a17bce060fe7df8",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "ef048470c90bc8c1b8318bb2ce329da9ef64b9fe",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"lessThan": "a36d990f591320e9dd379ab30063ebfe91d47e1f",
"status": "affected",
"version": "f54e18f1b831c92f6512d2eedb224cd63d607d3d",
"versionType": "git"
},
{
"status": "affected",
"version": "08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56",
"versionType": "git"
},
{
"status": "affected",
"version": "212c4d33ca83e2144064fe9c2911607fbed5386f",
"versionType": "git"
},
{
"status": "affected",
"version": "96e44adce250199ec9b2b928be66365779ff1b59",
"versionType": "git"
},
{
"status": "affected",
"version": "1fe5620fcd6c2f0a4a927ee10c8e53196da392f3",
"versionType": "git"
},
{
"status": "affected",
"version": "fbce0d7dc8965c9fb8d411862040239d4a768c71",
"versionType": "git"
},
{
"status": "affected",
"version": "8190393a88f2b0321263a54f2a9eb5a2aa43be7e",
"versionType": "git"
},
{
"status": "affected",
"version": "486aa789eadcf44ed87f972b209299c516454693",
"versionType": "git"
},
{
"status": "affected",
"version": "b6d20edb6e7cedb4eedb9e0193d20dd488ebae84",
"versionType": "git"
},
{
"lessThan": "2.6.33",
"status": "affected",
"version": "2.6.32.66",
"versionType": "semver"
},
{
"lessThan": "3.3",
"status": "affected",
"version": "3.2.67",
"versionType": "semver"
},
{
"lessThan": "3.5",
"status": "affected",
"version": "3.4.107",
"versionType": "semver"
},
{
"lessThan": "3.11",
"status": "affected",
"version": "3.10.64",
"versionType": "semver"
},
{
"lessThan": "3.13",
"status": "affected",
"version": "3.12.36",
"versionType": "semver"
},
{
"lessThan": "3.15",
"status": "affected",
"version": "3.14.28",
"versionType": "semver"
},
{
"lessThan": "3.18",
"status": "affected",
"version": "3.17.8",
"versionType": "semver"
},
{
"lessThan": "3.19",
"status": "affected",
"version": "3.18.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"fs/isofs/rock.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "3.19"
},
{
"lessThan": "3.19",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.258",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.209",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.175",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.140",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.88",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.30",
"versionType": "semver"
},
{
"lessThanOrEqual": "7.0.*",
"status": "unaffected",
"version": "7.0.7",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.258",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.209",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.175",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.140",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.88",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.30",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0.7",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.1",
"versionStartIncluding": "3.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.32.66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.2.67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.4.107",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.10.64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.12.36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.14.28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.17.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "3.18.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: validate Rock Ridge CE continuation extent against volume size\n\nrock_continue() reads rs-\u003econt_extent verbatim from the Rock Ridge CE\nrecord and passes it to sb_bread() without checking that the block\nnumber is within the mounted ISO 9660 volume. commit e595447e177b\n(\"[PATCH] rock.c: handle corrupted directories\") added cont_offset\nand cont_size rejection for the CE continuation but did not validate\nthe extent block number itself. commit f54e18f1b831 (\"isofs: Fix\ninfinite looping over CE entries\") later capped the CE chain length\nat RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.\n\nWith a crafted ISO mounted via udisks2 (desktop optical auto-mount)\nor via CAP_SYS_ADMIN mount, rs-\u003econt_extent can therefore point at\nan out-of-range block or at blocks belonging to an adjacent\nfilesystem on the same block device. sb_bread() on an out-of-range\nblock returns NULL cleanly via the block layer EIO path, so there\nis no memory-safety violation. For in-range reads of adjacent-\nfilesystem data, the CE buffer is parsed as Rock Ridge records and\nonly the text of SL sub-records reaches userspace through\nreadlink(), which makes the info-leak channel narrow and difficult\nto exploit; still, rejecting the malformed CE outright matches the\nrejection shape already present in the same function for\ncont_offset and cont_size.\n\nAdd an ISOFS_SB(sb)-\u003es_nzones bounds check to rock_continue() next\nto the existing offset/size rejection, printing the same\ncorrupted-directory-entry notice."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-14T18:07:47.782Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4be"
},
{
"url": "https://git.kernel.org/stable/c/d582e12378bc1637f337622feef762f53c43fd57"
},
{
"url": "https://git.kernel.org/stable/c/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9"
},
{
"url": "https://git.kernel.org/stable/c/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5"
},
{
"url": "https://git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfc"
},
{
"url": "https://git.kernel.org/stable/c/e69da8eeab74b4f4505024c38a17bce060fe7df8"
},
{
"url": "https://git.kernel.org/stable/c/ef048470c90bc8c1b8318bb2ce329da9ef64b9fe"
},
{
"url": "https://git.kernel.org/stable/c/a36d990f591320e9dd379ab30063ebfe91d47e1f"
}
],
"title": "isofs: validate Rock Ridge CE continuation extent against volume size",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-46303",
"datePublished": "2026-06-08T15:46:30.642Z",
"dateReserved": "2026-05-13T15:03:33.111Z",
"dateUpdated": "2026-06-14T18:07:47.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-46303",
"date": "2026-06-17",
"epss": "0.00278",
"percentile": "0.19401"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-46303\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-06-08T17:16:48.853\",\"lastModified\":\"2026-06-14T06:16:23.533\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nisofs: validate Rock Ridge CE continuation extent against volume size\\n\\nrock_continue() reads rs-\u003econt_extent verbatim from the Rock Ridge CE\\nrecord and passes it to sb_bread() without checking that the block\\nnumber is within the mounted ISO 9660 volume. commit e595447e177b\\n(\\\"[PATCH] rock.c: handle corrupted directories\\\") added cont_offset\\nand cont_size rejection for the CE continuation but did not validate\\nthe extent block number itself. commit f54e18f1b831 (\\\"isofs: Fix\\ninfinite looping over CE entries\\\") later capped the CE chain length\\nat RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.\\n\\nWith a crafted ISO mounted via udisks2 (desktop optical auto-mount)\\nor via CAP_SYS_ADMIN mount, rs-\u003econt_extent can therefore point at\\nan out-of-range block or at blocks belonging to an adjacent\\nfilesystem on the same block device. sb_bread() on an out-of-range\\nblock returns NULL cleanly via the block layer EIO path, so there\\nis no memory-safety violation. For in-range reads of adjacent-\\nfilesystem data, the CE buffer is parsed as Rock Ridge records and\\nonly the text of SL sub-records reaches userspace through\\nreadlink(), which makes the info-leak channel narrow and difficult\\nto exploit; still, rejecting the malformed CE outright matches the\\nrejection shape already present in the same function for\\ncont_offset and cont_size.\\n\\nAdd an ISOFS_SB(sb)-\u003es_nzones bounds check to rock_continue() next\\nto the existing offset/size rejection, printing the same\\ncorrupted-directory-entry notice.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4be\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a36d990f591320e9dd379ab30063ebfe91d47e1f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/d582e12378bc1637f337622feef762f53c43fd57\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e69da8eeab74b4f4505024c38a17bce060fe7df8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ef048470c90bc8c1b8318bb2ce329da9ef64b9fe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…