Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local ioctl invocation with low-privilege user access required; pure availability impact via kernel WARN_ON with no confidentiality or integrity consequences.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. If they differ, the block is considered dead and skipped.
However, bd_oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd_oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing the dead block check and calling nilfs_bmap_mark() on a non-existent block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT).
Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration.
[ryusuke: slightly modified the commit message and comments for accuracy]
AnalysisAI
Improper input validation in the Linux kernel's nilfs2 filesystem driver allows a local low-privileged user to trigger a kernel WARN_ON and cause a denial of service by submitting a crafted ioctl request with bd_oblocknr set to zero. The zero value collides with the -ENOENT sentinel path in nilfs_ioctl_mark_blocks_dirty(), bypassing the dead block detection logic and passing an invalid block reference into nilfs_bmap_mark(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the target system must have a nilfs2 filesystem mounted - systems without nilfs2 loaded as a kernel module are entirely unaffected; (2) the attacker must have a local low-privilege user session with the ability to invoke ioctl on the nilfs2 device (PR:L per CVSS vector); and (3) the kernel must be running an unpatched version in one of the affected stable branches. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 Medium is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a Linux system with a nilfs2 filesystem mounted issues a crafted NILFS_IOCTL_MARK_BLOCKS_DIRTY ioctl with the bd_oblocknr field set to zero in the block descriptor structure. The kernel's dead block detection logic incorrectly treats this as a match when a lookup returns -ENOENT and internally zeros bd_blocknr, bypassing the skip condition and passing the invalid block reference to nilfs_bmap_mark(). … |
| Remediation | Update to the nearest patched stable kernel release: 5.10.258 or later for the 5.10.x series, 5.15.209 or later for 5.15.x, 6.1.175 or later for 6.1.x, 6.6.141 or later for 6.6.x, 6.12.91 or later for 6.12.x, 6.18.33 or later for 6.18.x, 7.0.10 or later for 7.0.x, and 7.1 or later for the mainline series. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39855
GHSA-r88h-63mh-cc6h