Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Local crafted-image mount with user interaction (AV:L/UI:R); no attacker privilege needed to author the image (PR:N), and kernel memory corruption yields full C/I/A impact.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).
Later, omfs_make_empty() uses
sbi->s_sys_blocksize - OMFS_DIR_START
as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer.
Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed.
AnalysisAI
Out-of-bounds kernel memory write in the Linux kernel's OMFS filesystem driver (fs/omfs) allows a local attacker to corrupt kernel memory by mounting a crafted OMFS image. omfs_fill_super() validates that s_sys_blocksize is not larger than PAGE_SIZE but fails to enforce a lower bound, so a value below OMFS_DIR_START (0x1b8 = 440) triggers an unsigned integer underflow in omfs_make_empty(), driving a roughly 4 GiB memset() that overwrites kernel memory far beyond the block buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the OMFS filesystem driver (fs/omfs) to be built/loaded and a victim to mount an attacker-crafted OMFS image whose superblock sets s_sys_blocksize to a value smaller than OMFS_DIR_START (0x1b8 = 440 bytes) - that specific malformed field IS the triggering condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are largely consistent in pointing to a real but constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malformed OMFS filesystem image setting s_sys_blocksize below 440 and delivers it to a target - for example on a USB stick or as a downloadable disk image. When a victim (or an automount service) mounts the image, omfs_fill_super() accepts it and omfs_make_empty() performs the underflowing ~4 GiB memset, corrupting kernel memory and enabling denial of service or potentially privilege escalation. … |
| Remediation | Vendor-released patch: upgrade to a fixed Linux kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's equivalent backport) - which adds the missing lower-bound check on s_sys_blocksize in omfs_fill_super(); the fix commits are at git.kernel.org (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify systems with OMFS support enabled in kernel configuration (CONFIG_OMFS). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-191 – Integer Underflow
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38998
GHSA-2j9j-p8f4-hwp3