CVE Catalog

CVE-2026-46124

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.43%

34th percentile - higher than 34% of all known CVEs

Summary

A vulnerability has been identified in the Linux kernel within the isofs_fh_to_dentry() and isofs_fh_to_parent() functions, which pass an attacker-controlled block number from the NFS file handle to isofs_export_iget(). Although block 0 is rejected, an attacker can force the read of any in-range block, leading to the exposure of unrelated data in dentry metadata.

Risk Assessment

This vulnerability may lead to the disclosure of data from adjacent partitions on the same block device, posing a risk of information leakage in environments where NFS is used. Although the attack surface is narrow, it requires an authenticated NFS client.

Recommendation

It is recommended to reject blocks greater than or equal to ISOFS_SB(sb)->s_nzones in the isofs_export_iget() function to mitigate these attacks.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS