CVE-2026-46303
Description
Linux kernel's isofs module has a vulnerability where a crafted ISO can cause an out-of-bounds read, potentially leading to information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel's isofs module has a vulnerability where a crafted ISO can cause an out-of-bounds read, potentially leading to information disclosure.
Vulnerability
The Linux kernel's isofs module contains a vulnerability where the rock_continue() function reads the rs->cont_extent value from a Rock Ridge CE record and passes it to sb_bread() without validating that the block number is within the mounted ISO 9660 volume's size. This issue was introduced in commit e595447e177b and not fully addressed by commit f54e18f1b831, which capped the CE chain length but not the block number itself. Affected versions are those with these commits applied.
Exploitation
An attacker can exploit this vulnerability by mounting a crafted ISO image. This can be achieved via udisks2 (desktop optical auto-mount) or by using CAP_SYS_ADMIN privileges for mounting. The crafted ISO causes rs->cont_extent to point to an out-of-range block or blocks belonging to an adjacent filesystem on the same block device. Reading an out-of-range block results in a NULL return from sb_bread() via the block layer EIO path, preventing a memory-safety violation. However, reading adjacent filesystem data allows the CE buffer to be parsed as Rock Ridge records, potentially leading to an information leak through readlink() of SL sub-records.
Impact
Successful exploitation allows an attacker to read data from blocks outside the intended ISO 9660 volume. While direct memory corruption is avoided, this can lead to an information leak by exposing data from adjacent filesystems. The information disclosure channel is described as narrow and difficult to exploit, but the vulnerability allows for the rejection of malformed CE entries, aligning with existing checks for cont_offset and cont_size.
Mitigation
This vulnerability has been resolved by adding an ISOFS_SB(sb)->s_nzones bounds check to the rock_continue() function in the isofs module. The fix is available in the Linux kernel. Specific fixed versions and release dates are not detailed in the provided references, nor is information on workarounds or end-of-life status. The references provided are related to website protection mechanisms and do not contain vulnerability-specific mitigation details.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
16e69da8eeab74isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 576498245b9d7..6c104fcb84481 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
22b36fa081f3isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 576498245b9d7..6c104fcb84481 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
a36d990f5913isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 6fe6dbd0c740f..1232fab59a4e6 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
bf1bc673c587isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 48f58c6c9e69b..946073b6fd1a3 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
d582e12378bcisofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 4880146babaf9..277734fc179d7 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
c9b37c8b73f6isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 348783a70f571..4a791011cb098 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
8356fb821016isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 94ef92fe806c4..1efa3ae2f41e9 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
ef048470c90bisofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 6fe6dbd0c740f..1232fab59a4e6 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
bf1bc673c587isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 48f58c6c9e69b..946073b6fd1a3 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
ef048470c90bisofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 6fe6dbd0c740f..1232fab59a4e6 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
e69da8eeab74isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 576498245b9d7..6c104fcb84481 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
a36d990f5913isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 6fe6dbd0c740f..1232fab59a4e6 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
8356fb821016isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 94ef92fe806c4..1efa3ae2f41e9 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
22b36fa081f3isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 576498245b9d7..6c104fcb84481 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
d582e12378bcisofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 4880146babaf9..277734fc179d7 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
c9b37c8b73f6isofs: validate Rock Ridge CE continuation extent against volume size
1 file changed · +9 −1
fs/isofs/rock.c+9 −1 modifieddiff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 348783a70f571..4a791011cb098 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -101,6 +101,15 @@ static int rock_continue(struct rock_state *rs) goto out; } + if ((unsigned)rs->cont_extent >= ISOFS_SB(rs->inode->i_sb)->s_nzones) { + printk(KERN_NOTICE "rock: corrupted directory entry. " + "extent=%u out of volume (nzones=%lu)\n", + (unsigned)rs->cont_extent, + ISOFS_SB(rs->inode->i_sb)->s_nzones); + ret = -EIO; + goto out; + } + if (rs->cont_extent) { struct buffer_head *bh; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The isofs filesystem driver in the Linux kernel did not validate the block number read from a Rock Ridge CE record before using it to read from the volume."
Attack vector
An attacker can craft an ISO 9660 filesystem image with a malicious Rock Ridge CE record. When this crafted ISO is mounted, for example, via udisks2 or with CAP_SYS_ADMIN privileges, the `rock_continue()` function reads an out-of-bounds or adjacent filesystem block number from the CE record. This block number is then passed to `sb_bread()` without validation, potentially leading to an information leak.
Affected code
The vulnerability exists in the `rock_continue()` function within the file `fs/isofs/rock.c` [patch_id=5239619]. Specifically, the code reads `rs->cont_extent` and passes it to `sb_bread()` without validating that the block number is within the mounted ISO 9660 volume's size.
What the fix does
The patch adds a bounds check within the `rock_continue()` function in `fs/isofs/rock.c` [patch_id=5239619]. This check ensures that the `rs->cont_extent` value, representing the block number, is within the valid range of the ISO volume's zones (`ISOFS_SB(sb)->s_nzones`). If the extent is out of bounds, the function now prints a "corrupted directory entry" notice and returns an error, preventing the use of invalid block numbers and mitigating the information leak.
Preconditions
- inputA crafted ISO 9660 filesystem image containing a malicious Rock Ridge CE record.
- configThe crafted ISO must be mounted, which can be achieved via udisks2 or with CAP_SYS_ADMIN privileges.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfcnvd
- git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4benvd
- git.kernel.org/stable/c/a36d990f591320e9dd379ab30063ebfe91d47e1fnvd
- git.kernel.org/stable/c/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9nvd
- git.kernel.org/stable/c/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5nvd
- git.kernel.org/stable/c/d582e12378bc1637f337622feef762f53c43fd57nvd
- git.kernel.org/stable/c/e69da8eeab74b4f4505024c38a17bce060fe7df8nvd
- git.kernel.org/stable/c/ef048470c90bc8c1b8318bb2ce329da9ef64b9fenvd
News mentions
1- Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026Vypr Intelligence · Jun 8, 2026