CVE-2026-46124
Description
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate block number from NFS file handle in isofs_export_iget
isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780.
sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.
Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.
Affected products
1Patches
10bb0988ed4f2eisofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
4c721a1d9b3cisofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
afbafeddf23disofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
243764581383isofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
0a1af74ae217isofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
bb0988ed4f2eisofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
afbafeddf23disofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
0a1af74ae217isofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
4c721a1d9b3cisofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
243764581383isofs: validate block number from NFS file handle in isofs_export_iget
2 files changed · +2 −4
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
fs/isofs/export.c+1 −2 modifieddiff --git a/fs/isofs/export.c b/fs/isofs/export.c index 421d247fae5230..78f80c1a5c54a0 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -24,7 +24,7 @@ isofs_export_iget(struct super_block *sb, { struct inode *inode; - if (block == 0) + if (block == 0 || block >= ISOFS_SB(sb)->s_nzones) return ERR_PTR(-ESTALE); inode = isofs_iget(sb, block, offset); if (IS_ERR(inode)) -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing upper-bound validation on attacker-controlled block number from NFS file handle in isofs_export_iget allows reading arbitrary in-range blocks as iso_directory_record."
Attack vector
An authenticated NFS peer sends a crafted NFS file handle with a `fh_len` sufficient to pass the size check from commit 0405d4b63d08 (CVE-2025-37780) but containing a `block` or `parent_block` value that is non-zero yet outside the ISO filesystem's zone count. The kernel reads the arbitrary in-range block from the backing device as if it were an `iso_directory_record`, and the misinterpreted bytes populate `iso_inode_info` fields that are returned to the NFS client as dentry metadata [patch_id=2898493]. Out-of-range blocks cause `sb_bread()` to return NULL (EIO), so no memory corruption occurs, but in-range reads of adjacent-partition data on the same block device can leak unintended data.
Affected code
The vulnerable function is `isofs_export_iget()` in `fs/isofs/export.c`. Both `isofs_fh_to_dentry()` and `isofs_fh_to_parent()` call this function with an attacker-controlled block number (`ifid->block` or `ifid->parent_block`) extracted from an NFS file handle. The function previously only rejected `block == 0` before passing the block to `isofs_iget()` and ultimately `sb_bread()` [patch_id=2898493].
What the fix does
The patch changes the single guard in `isofs_export_iget()` from `if (block == 0)` to `if (block == 0 || block >= ISOFS_SB(sb)->s_nzones)` [patch_id=2898493]. This adds an upper-bound check against the filesystem's total zone count (`s_nzones`), ensuring that any block number supplied via an NFS file handle falls within the valid range of the mounted ISO image. The fix covers both call sites (`isofs_fh_to_dentry()` and `isofs_fh_to_parent()`) with a single line, closing the gap left by the earlier CVE-2025-37780 fix that only validated `fh_len`.
Preconditions
- configThe isofs filesystem must be exported over NFS (e.g., a loop-mounted ISO image shared via NFS).
- authThe attacker must be an authenticated NFS peer capable of sending crafted NFS file handles.
- inputThe crafted file handle must have fh_len sufficient to pass the size check from commit 0405d4b63d08.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/0a1af74ae2177bda3aee0837a0546309aa539d0dnvd
- git.kernel.org/stable/c/24376458138387fb251e782e624c7776e9826796nvd
- git.kernel.org/stable/c/4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6nvd
- git.kernel.org/stable/c/afbafeddf23db13fe2edb2d5c0bf4bbb13d7881bnvd
- git.kernel.org/stable/c/bb0988ed4f2e26d59bbb58f644cb3a55b7521e21nvd
News mentions
0No linked articles in our index yet.