CVE-2026-46303 is a vulnerability in Linux Kernel
Published on June 8, 2026
isofs: validate Rock Ridge CE continuation extent against volume size
In the Linux kernel, the following vulnerability has been resolved:
isofs: validate Rock Ridge CE continuation extent against volume size
rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE
record and passes it to sb_bread() without checking that the block
number is within the mounted ISO 9660 volume. commit e595447e177b
("[PATCH] rock.c: handle corrupted directories") added cont_offset
and cont_size rejection for the CE continuation but did not validate
the extent block number itself. commit f54e18f1b831 ("isofs: Fix
infinite looping over CE entries") later capped the CE chain length
at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.
With a crafted ISO mounted via udisks2 (desktop optical auto-mount)
or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at
an out-of-range block or at blocks belonging to an adjacent
filesystem on the same block device. sb_bread() on an out-of-range
block returns NULL cleanly via the block layer EIO path, so there
is no memory-safety violation. For in-range reads of adjacent-
filesystem data, the CE buffer is parsed as Rock Ridge records and
only the text of SL sub-records reaches userspace through
readlink(), which makes the info-leak channel narrow and difficult
to exploit; still, rejecting the malformed CE outright matches the
rejection shape already present in the same function for
cont_offset and cont_size.
Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next
to the existing offset/size rejection, printing the same
corrupted-directory-entry notice.
Products Associated with CVE-2026-46303
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version f54e18f1b831c92f6512d2eedb224cd63d607d3d and below 8356fb821016797f5677cbeee5ddc0d32a95b4be is affected.
- Version f54e18f1b831c92f6512d2eedb224cd63d607d3d and below d582e12378bc1637f337622feef762f53c43fd57 is affected.
- Version f54e18f1b831c92f6512d2eedb224cd63d607d3d and below bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9 is affected.
- Version f54e18f1b831c92f6512d2eedb224cd63d607d3d and below c9b37c8b73f6368e4750e5ccb0632c380b43c6e5 is affected.
- Version f54e18f1b831c92f6512d2eedb224cd63d607d3d and below 22b36fa081f38ab397c7697f9d539211b51a0cfc is affected.
- Version f54e18f1b831c92f6512d2eedb224cd63d607d3d and below e69da8eeab74b4f4505024c38a17bce060fe7df8 is affected.
- Version f54e18f1b831c92f6512d2eedb224cd63d607d3d and below ef048470c90bc8c1b8318bb2ce329da9ef64b9fe is affected.
- Version f54e18f1b831c92f6512d2eedb224cd63d607d3d and below a36d990f591320e9dd379ab30063ebfe91d47e1f is affected.
- Version 08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56 is affected.
- Version 212c4d33ca83e2144064fe9c2911607fbed5386f is affected.
- Version 96e44adce250199ec9b2b928be66365779ff1b59 is affected.
- Version 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 is affected.
- Version fbce0d7dc8965c9fb8d411862040239d4a768c71 is affected.
- Version 8190393a88f2b0321263a54f2a9eb5a2aa43be7e is affected.
- Version 486aa789eadcf44ed87f972b209299c516454693 is affected.
- Version b6d20edb6e7cedb4eedb9e0193d20dd488ebae84 is affected.
- Version 2.6.32.66 and below 2.6.33 is affected.
- Version 3.2.67 and below 3.3 is affected.
- Version 3.4.107 and below 3.5 is affected.
- Version 3.10.64 and below 3.11 is affected.
- Version 3.12.36 and below 3.13 is affected.
- Version 3.14.28 and below 3.15 is affected.
- Version 3.17.8 and below 3.18 is affected.
- Version 3.18.2 and below 3.19 is affected.
- Version 3.19 is affected.
- Before 3.19 is unaffected.
- Version 5.10.258, <= 5.10.* is unaffected.
- Version 5.15.209, <= 5.15.* is unaffected.
- Version 6.1.175, <= 6.1.* is unaffected.
- Version 6.6.140, <= 6.6.* is unaffected.
- Version 6.12.88, <= 6.12.* is unaffected.
- Version 6.18.30, <= 6.18.* is unaffected.
- Version 7.0.7, <= 7.0.* is unaffected.
- Version 7.1-rc2, <= * is unaffected.