Skip to main content

Linux Kernel EUVDEUVD-2026-38998

| CVE-2026-53130 HIGH
Integer Underflow (CWE-191)
2026-06-24 Linux GHSA-2j9j-p8f4-hwp3
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local crafted-image mount with user interaction (AV:L/UI:R); no attacker privilege needed to author the image (PR:N), and kernel memory corruption yields full C/I/A impact.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:12 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
Jun 24, 2026 - 18:02 EUVD
CVE Published
Jun 24, 2026 - 16:30 cve.org
HIGH 7.8
CVE Published
Jun 24, 2026 - 16:30 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).

Later, omfs_make_empty() uses

sbi->s_sys_blocksize - OMFS_DIR_START

as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer.

Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed.

AnalysisAI

Out-of-bounds kernel memory write in the Linux kernel's OMFS filesystem driver (fs/omfs) allows a local attacker to corrupt kernel memory by mounting a crafted OMFS image. omfs_fill_super() validates that s_sys_blocksize is not larger than PAGE_SIZE but fails to enforce a lower bound, so a value below OMFS_DIR_START (0x1b8 = 440) triggers an unsigned integer underflow in omfs_make_empty(), driving a roughly 4 GiB memset() that overwrites kernel memory far beyond the block buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft OMFS image with s_sys_blocksize < 440
Delivery
Deliver image to target host
Exploit
Victim or automounter mounts image
Execution
omfs_make_empty underflow drives 4 GiB memset
Persist
Overwrite kernel memory
Impact
Denial of service or privilege escalation

Vulnerability AssessmentAI

Exploitation Exploitation requires the OMFS filesystem driver (fs/omfs) to be built/loaded and a victim to mount an attacker-crafted OMFS image whose superblock sets s_sys_blocksize to a value smaller than OMFS_DIR_START (0x1b8 = 440 bytes) - that specific malformed field IS the triggering condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent in pointing to a real but constrained risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malformed OMFS filesystem image setting s_sys_blocksize below 440 and delivers it to a target - for example on a USB stick or as a downloadable disk image. When a victim (or an automount service) mounts the image, omfs_fill_super() accepts it and omfs_make_empty() performs the underflowing ~4 GiB memset, corrupting kernel memory and enabling denial of service or potentially privilege escalation. …
Remediation Vendor-released patch: upgrade to a fixed Linux kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1 (or your distribution's equivalent backport) - which adds the missing lower-bound check on s_sys_blocksize in omfs_fill_super(); the fix commits are at git.kernel.org (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify systems with OMFS support enabled in kernel configuration (CONFIG_OMFS). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy