Skip to main content

util-linux libblkid CVE-2026-13595

| EUVDEUVD-2026-40053 MEDIUM
Use After Free (CWE-416)
2026-06-29 redhat GHSA-qpmf-9p9c-455w
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (redhat) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
vuln.today AI
6.8 MEDIUM

AV:L because block device presentation is required; PR:N because udev invokes libblkid as root automatically without attacker credentials; A:H for privileged service crash; C:L for bounded heap read leak.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Red Hat
6.8 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High

Lifecycle Timeline

4
CVSS changed
Jul 08, 2026 - 03:52 NVD
6.8 (MEDIUM) 5.3 (MEDIUM)
Source Code Evidence Fetched
Jun 29, 2026 - 09:19 vuln.today
Analysis Generated
Jun 29, 2026 - 09:19 vuln.today
CVE Published
Jun 29, 2026 - 08:06 cve.org
MEDIUM 6.8

DescriptionNVD

A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service.

AnalysisAI

Heap use-after-free read in libblkid (util-linux) enables unauthenticated local attackers to crash udisks or leak root-process heap data by presenting a crafted block device image during nested partition probing. BSD, Minix, Solaris x86, and UnixWare partition table parsers cache raw pointers into a dynamically allocated partition array; when subsequent partition additions trigger array reallocation, those pointers become stale and dereference freed memory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft nested BSD/Minix partition image
Delivery
Insert USB device or trigger loop-mount
Exploit
udev fires udisks auto-probe as root
Execution
libblkid reallocates partition array mid-probe
Persist
Stale cached pointer dereferences freed heap
Impact
Crash udisks service or leak root heap data

Vulnerability AssessmentAI

Exploitation Exploitation specifically requires a crafted block device image that exercises nested partition probing via BSD, Minix, Solaris x86, or UnixWare partition table formats and triggers at least one array reallocation while a parent-partition pointer is cached. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.8 Medium with vector AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H accurately reflects the attack profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a USB drive or disk image containing deeply nested BSD or Minix partition tables engineered so that libblkid's partition array reallocates at least once while a cached parent-partition pointer is still live. Upon physical insertion of the USB device into a target Linux workstation or server, udev automatically triggers udisks to probe the device using libblkid as root - no login, no prompt, no click required. …
Remediation Apply vendor-supplied updates via standard package management (dnf update util-linux on RHEL systems) once a fixed package version is released by Red Hat - monitor https://access.redhat.com/security/cve/CVE-2026-13595 for the official advisory with exact patched package versions. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Affected
SLES15-SP6-CHOST-BYOS Affected
SLES15-SP6-CHOST-BYOS-Aliyun Affected
SLES15-SP6-CHOST-BYOS-Azure Affected
SLES15-SP6-CHOST-BYOS-EC2 Affected

Share

CVE-2026-13595 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy