Skip to main content

Linux Kernel CVE-2026-45991

| EUVDEUVD-2026-32287 HIGH
Out-of-bounds Write (CWE-787)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-x889-prf3-g3vg
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.0 HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:35 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

udf: fix partition descriptor append bookkeeping

Mounting a crafted UDF image with repeated partition descriptors can trigger a heap out-of-bounds write in part_descs_loc[].

handle_partition_descriptor() deduplicates entries by partition number, but appended slots never record partnum. As a result duplicate Partition Descriptors are appended repeatedly and num_part_descs keeps growing.

Once the table is full, the growth path still sizes the allocation from partnum even though inserts are indexed by num_part_descs. If partnum is already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep the old capacity and the next append writes past the end of the table.

Store partnum in the appended slot and size growth from the next append count so deduplication and capacity tracking follow the same model.

AnalysisAI

Heap out-of-bounds write in the Linux kernel UDF filesystem driver allows a local attacker to corrupt kernel memory by mounting a crafted UDF image containing repeated partition descriptors. The flaw stems from incorrect bookkeeping in handle_partition_descriptor() where appended slots never record partnum, causing duplicate descriptors to overflow the part_descs_loc[] table. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at only 0.02%.

Technical ContextAI

The vulnerability resides in the UDF (Universal Disk Format) filesystem driver in the Linux kernel, specifically in handle_partition_descriptor() which manages partition descriptor entries during volume recognition. The function attempts to deduplicate descriptors by partition number, but appended slots never store partnum, so duplicate Partition Descriptors continue to be appended and num_part_descs grows unbounded. The growth path sizes allocations based on partnum (using ALIGN(partnum, PART_DESC_ALLOC_STEP)) while inserts are indexed by num_part_descs - once partnum is already aligned to PART_DESC_ALLOC_STEP, ALIGN() returns the same capacity and the next insert writes past the end of the heap allocation. This is a classic heap buffer overflow pattern (CWE-787 class) caused by inconsistent index/capacity tracking, even though the CWE field is reported as N/A.

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 7.0.4, 7.1-rc1 or later as appropriate for your branch, referencing the stable commits at https://git.kernel.org/stable/c/058b451b1039f056d1362c4fec2229e522366ab0, https://git.kernel.org/stable/c/08841b06fa64d8edbd1a21ca6e613420c90cc4b8, https://git.kernel.org/stable/c/08fa5d818e5bf53c7ca234d88ba334f32004e9b6, and https://git.kernel.org/stable/c/b5597bb83fc37b5b5da74a4453fa920b932cf39a. Until distribution kernel updates land, compensating controls include blacklisting the udf module via /etc/modprobe.d (modprobe.blacklist=udf) on systems that never legitimately mount UDF media - side effect: DVD/Blu-ray and some optical/USB media will no longer mount; disabling unprivileged auto-mount by tightening polkit rules for org.freedesktop.udisks2.filesystem-mount (side effect: desktop users lose seamless removable-media access); and on container hosts, ensuring CAP_SYS_ADMIN is not granted and loop-device mounting is restricted.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy