Linux Kernel: Squashfs OOB via negative metadata block offset
CVE-2026-23388 Published on March 25, 2026
Squashfs: check metadata block offset is within range
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: check metadata block offset is within range
Syzkaller reports a "general protection fault in squashfs_copy_data"
This is ultimately caused by a corrupted index look-up table, which
produces a negative metadata block offset.
This is subsequently passed to squashfs_copy_data (via
squashfs_read_metadata) where the negative offset causes an out of bounds
access.
The fix is to check that the offset is within range in
squashfs_read_metadata. This will trap this and other cases.
Products Associated with CVE-2026-23388
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version f400e12656ab518be107febfe2315fb1eab5a342 and below 0c8ab092aec3ac4294940054772d30b511b16713 is affected.
- Version f400e12656ab518be107febfe2315fb1eab5a342 and below 6b847d65f5b0065e02080c61fad93d57d6686383 is affected.
- Version f400e12656ab518be107febfe2315fb1eab5a342 and below 9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c is affected.
- Version f400e12656ab518be107febfe2315fb1eab5a342 and below 01ee0bcc29864b78249308e8b35042b09bbf5fe3 is affected.
- Version f400e12656ab518be107febfe2315fb1eab5a342 and below 3b9499e7d677dd4366239a292238489a804936b2 is affected.
- Version f400e12656ab518be107febfe2315fb1eab5a342 and below fdb24a820a5832ec4532273282cbd4f22c291a0d is affected.
- Version 2.6.29 is affected.
- Before 2.6.29 is unaffected.
- Version 6.1.167, <= 6.1.* is unaffected.
- Version 6.6.130, <= 6.6.* is unaffected.
- Version 6.12.77, <= 6.12.* is unaffected.
- Version 6.18.17, <= 6.18.* is unaffected.
- Version 6.19.7, <= 6.19.* is unaffected.
- Version 7.0-rc2, <= * is unaffected.