CVE-2026-23388
Description
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: check metadata block offset is within range
Syzkaller reports a "general protection fault in squashfs_copy_data"
This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset.
This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access.
The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A corrupted Squashfs index table can cause a negative metadata block offset, leading to an out-of-bounds read in the Linux kernel's Squashfs driver.
Vulnerability
Overview
In the Linux kernel's Squashfs filesystem driver, a corrupted index look-up table can produce a negative metadata block offset. This offset is passed to squashfs_read_metadata and subsequently to squashfs_copy_data, where the negative value triggers an out-of-bounds access. The issue was discovered by syzkaller, which reported a general protection fault in squashfs_copy_data [1].
Exploitation
An attacker can exploit this vulnerability by mounting a specially crafted Squashfs image. The attacker must be able to mount the filesystem, which could be achieved through a malicious USB drive, a downloaded image, or other means. No authentication is required beyond the ability to mount the filesystem. The kernel processes the corrupted metadata during mount or read operations, leading to the out-of-bounds access.
Impact
A successful exploit can cause a system crash (denial of service) due to the general protection fault. Additionally, the out-of-bounds read may leak sensitive kernel memory, potentially aiding further attacks. The CVSS v3 score of 7.1 (High) reflects the significant impact on availability and confidentiality.
Mitigation
The fix adds a range check in squashfs_read_metadata to validate the metadata block offset before use. Patches have been applied to multiple stable kernel branches [1][2][3][4]. Users should update their Linux kernel to a version containing the fix to mitigate this vulnerability.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 9 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=2.6.29.1,<5.10.253
- cpe:2.3:o:linux:linux_kernel:2.6.29:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3nvdPatch
- git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713nvdPatch
- git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2nvdPatch
- git.kernel.org/stable/c/3f68a9457a6190814377577374da75f872e0a013nvdPatch
- git.kernel.org/stable/c/60f679f643f3f36a8571ea585e4ce5d93ef952b5nvdPatch
- git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383nvdPatch
- git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7cnvdPatch
- git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0dnvdPatch
News mentions
0No linked articles in our index yet.