Skip to main content

Linux Kernel EUVDEUVD-2026-32883

| CVE-2026-46124 HIGH
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5599-pvjx-q3hc
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:53 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

isofs: validate block number from NFS file handle in isofs_export_iget

isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780.

sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.

Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.

AnalysisAI

Information disclosure in the Linux kernel isofs filesystem allows authenticated NFS peers to read arbitrary in-range blocks from the backing device by submitting crafted NFS file handles to isofs_export_iget(). The flaw resides in isofs_fh_to_dentry() and isofs_fh_to_parent(), which previously only rejected block==0 before passing the attacker-controlled block number to sb_bread(), exposing unrelated adjacent-partition data as iso_inode_info fields returned to NFS clients. No public exploit identified at time of analysis, EPSS is 0.02% (5th percentile), and this is reported as hardening adjacent to the prior CVE-2025-37780 fix.

Technical ContextAI

The vulnerability lives in fs/isofs/export.c in the Linux kernel's ISO 9660 filesystem NFS export helpers. When isofs is exported via NFS, the kernel reconstructs inodes from file handle identifiers (ifid->block, ifid->parent_block) supplied by the NFS client. The earlier commit 0405d4b63d08 (CVE-2025-37780) added an fh_len check to reject undersized handles, but isofs_export_iget() still trusted the embedded block number and only filtered block==0 before invoking isofs_iget()/sb_bread(). Because sb_bread() safely returns NULL via EIO for out-of-range blocks, there is no memory-safety violation; the leaked data class is bounded to in-range reads on the same block device, which is particularly relevant when isofs images are loop-mounted alongside other partitions. The fix rejects any block >= ISOFS_SB(sb)->s_nzones at the gateway function, covering both call sites in a single check. No CWE was assigned, but the issue is best characterized as improper validation of an untrusted index (CWE-129-like) leading to information exposure (CWE-200).

RemediationAI

Vendor-released patches are available: upgrade to Linux 6.6.140, 6.12.88, 6.18.30, 7.0.7, or 7.1-rc2 (or later) on the corresponding stable branch, applying the upstream fix that rejects block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget(). The relevant commits are linked from https://nvd.nist.gov/vuln/detail/CVE-2026-46124 and the kernel.org stable URLs listed above. Where patching is not immediately feasible, the most effective compensating control is to stop exporting isofs (ISO 9660) filesystems via NFS - remove isofs mounts from /etc/exports or unmount loop-mounted ISO images served over NFS, accepting the trade-off that consumers relying on NFS-served ISO content will lose access. Alternatively, restrict NFS access to a tightly scoped set of trusted client networks via firewall and exportfs allowlists, and avoid placing isofs loop images on block devices that also host sensitive partitions, since the disclosure surface is limited to in-range reads on the same backing device. Unloading the isofs module entirely (modprobe -r isofs, blacklist isofs) eliminates exposure on hosts that do not need ISO 9660 support.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy