CVE-2026-45991 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and security teams managing systems that process UDF filesystem images, particularly those allowing user-controlled media mounting or handling untrusted optical media images.

Technical summary

The UDF (Universal Disk Format) driver in the Linux kernel contains a heap buffer overflow vulnerability triggered during partition descriptor parsing. The `handle_partition_descriptor()` function manages a dynamic array `part_descs_loc[]` for partition descriptors. While the function implements deduplication logic based on partition numbers, the implementation fails to store the partition number in newly appended slots. This bookkeeping error allows duplicate descriptors to accumulate unchecked. The capacity growth calculation uses `ALIGN(partnum, PART_DESC_ALLOC_STEP)` rather than the actual slot count, creating a mismatch when `partnum` values align with allocation boundaries. Under these conditions, the array fails to expand while inserts continue, resulting in writes past the heap allocation boundary. The resolution ensures partition numbers are recorded in all slots and capacity calculations use the append count for consistent tracking.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable tree commits when available for your distribution
• Restrict mounting of untrusted UDF filesystem images
• Monitor kernel security advisories for stable backports
• Review systems allowing user-controlled filesystem mounting

Evidence notes

Vulnerability disclosed via Linux kernel stable tree commits on 2026-05-27. The issue affects UDF filesystem mounting operations. No CVSS score or severity assigned by NVD at time of disclosure (status: Awaiting Analysis).

Official resources