Skip to main content

Linux Kernel CVE-2026-53320

| EUVDEUVD-2026-39855 MEDIUM
2026-06-26 Linux GHSA-r88h-63mh-cc6h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local ioctl invocation with low-privilege user access required; pure availability impact via kernel WARN_ON with no confidentiality or integrity consequences.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 20:47 vuln.today
CVSS changed
Jul 06, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:41 nvd
MEDIUM 5.5
CVE Published
Jun 26, 2026 - 19:41 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()

nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. If they differ, the block is considered dead and skipped.

However, bd_oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd_oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing the dead block check and calling nilfs_bmap_mark() on a non-existent block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT).

Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration.

[ryusuke: slightly modified the commit message and comments for accuracy]

AnalysisAI

Improper input validation in the Linux kernel's nilfs2 filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON and cause a denial of service by submitting a crafted ioctl request with bd_oblocknr set to zero. The zero value collides with the -ENOENT sentinel path in nilfs_ioctl_mark_blocks_dirty(), bypassing the dead block detection logic and passing an invalid block reference into nilfs_bmap_mark(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local low-privilege shell
Delivery
Identify mounted nilfs2 filesystem
Exploit
Craft ioctl struct with bd_oblocknr=0
Install
Submit NILFS_IOCTL_MARK_BLOCKS_DIRTY
C2
Bypass dead block sentinel check
Execute
Trigger WARN_ON via nilfs_btree_do_lookup
Impact
Kernel denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the target system must have a nilfs2 filesystem mounted - systems without nilfs2 loaded as a kernel module are entirely unaffected; (2) the attacker must have a local low-privilege user session with the ability to invoke ioctl on the nilfs2 device (PR:L per CVSS vector); and (3) the kernel must be running an unpatched version in one of the affected stable branches. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.5 Medium is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a Linux system with a nilfs2 filesystem mounted issues a crafted NILFS_IOCTL_MARK_BLOCKS_DIRTY ioctl with the bd_oblocknr field set to zero in the block descriptor structure. The kernel's dead block detection logic incorrectly treats this as a match when a lookup returns -ENOENT and internally zeros bd_blocknr, bypassing the skip condition and passing the invalid block reference to nilfs_bmap_mark(). …
Remediation Update to the nearest patched stable kernel release: 5.10.258 or later for the 5.10.x series, 5.15.209 or later for 5.15.x, 6.1.175 or later for 6.1.x, 6.6.141 or later for 6.6.x, 6.12.91 or later for 6.12.x, 6.18.33 or later for 6.18.x, 7.0.10 or later for 7.0.x, and 7.1 or later for the mainline series. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy