Skip to main content

Linux Kernel CVE-2026-46303

| EUVDEUVD-2026-35168 HIGH
Memory Leak (CWE-401)
2026-06-08 Linux GHSA-phcq-c45r-9f84
High
Disputed · 8.2 Vendor: Linux
Share

Severity by source

Sources disagree (Low–High)
Vendor (Linux) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
1.8 LOW

Triggered by mounting a crafted ISO (physical media via udisks2 with user interaction, or CAP_SYS_ADMIN), narrow readlink info-leak only - hence AV:P, AC:H, UI:R, C:L, I/A:N.

3.1 AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
4.0 AV:P/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
2.5 LOW
AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Red Hat
5.5 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: Linux

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:28 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
8.2 (HIGH)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 cve.org
HIGH 8.2
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

isofs: validate Rock Ridge CE continuation extent against volume size

rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the mounted ISO 9660 volume. commit e595447e177b ("[PATCH] rock.c: handle corrupted directories") added cont_offset and cont_size rejection for the CE continuation but did not validate the extent block number itself. commit f54e18f1b831 ("isofs: Fix infinite looping over CE entries") later capped the CE chain length at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.

With a crafted ISO mounted via udisks2 (desktop optical auto-mount) or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at an out-of-range block or at blocks belonging to an adjacent filesystem on the same block device. sb_bread() on an out-of-range block returns NULL cleanly via the block layer EIO path, so there is no memory-safety violation. For in-range reads of adjacent- filesystem data, the CE buffer is parsed as Rock Ridge records and only the text of SL sub-records reaches userspace through readlink(), which makes the info-leak channel narrow and difficult to exploit; still, rejecting the malformed CE outright matches the rejection shape already present in the same function for cont_offset and cont_size.

Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next to the existing offset/size rejection, printing the same corrupted-directory-entry notice.

AnalysisAI

Out-of-bounds disk read in the Linux kernel ISO 9660 filesystem (isofs) Rock Ridge handler allows narrow information disclosure when a crafted ISO image is mounted. The rock_continue() function trusted the CE continuation extent block number from the on-disk Rock Ridge record and passed it to sb_bread() without bounds checking against the volume size, so a malicious ISO can cause the kernel to read blocks belonging to an adjacent filesystem on the same block device and surface their contents through readlink() on SL sub-records. EPSS is 0.02%, no public exploit identified at time of analysis, and the issue is not on CISA KEV.

Technical ContextAI

isofs is the Linux kernel driver for ISO 9660 optical-media filesystems with the Rock Ridge POSIX extension. A Rock Ridge CE (Continuation Entry) record points at another disk block containing further System Use Sharing Protocol records; fs/isofs/rock.c rock_continue() already validated cont_offset and cont_size (added by commit e595447e177b) and capped the CE chain length at RR_MAX_CE_ENTRIES=32 (commit f54e18f1b831), but never validated rs->cont_extent against ISOFS_SB(sb)->s_nzones. The root cause class is missing input validation / improper bounds check on attacker-controlled on-disk metadata (CWE-1284 / CWE-125-adjacent), where sb_bread() on an out-of-range block returns NULL safely via the block layer EIO path, but an in-range block number can point at sectors of a co-resident filesystem; those bytes are then parsed as Rock Ridge SL records and the symlink text reaches userspace via readlink(). The affected CPE is cpe:2.3:a:linux:linux:* across many stable branches.

RemediationAI

Vendor-released patch: upgrade to a fixed Linux stable release - 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7 or 7.1-rc2 (or any later kernel that picks up the rock_continue() s_nzones bounds check) - using the kernel.org stable commits listed at https://git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4be and the other patch hashes above; distribution kernels will publish equivalent advisories. Where patching has to wait, disable optical/removable-media auto-mounting in udisks2 by setting a polkit rule that denies org.freedesktop.udisks2.filesystem-mount(-other-seat) for untrusted users or removing the isofs module with rmmod isofs and blacklisting it in /etc/modprobe.d (trade-off: legitimate CD/DVD/ISO mounts on that host stop working); on multi-user or kiosk systems also revoke CAP_SYS_ADMIN and unprivileged-mount paths that would let an attacker present a crafted ISO. Generic monitoring is low-value here because exploitation produces no crash - the only signal is the existing 'corrupted directory entry' printk once the patch is in.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy