PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46124 Linux CVE debrief

## Summary CVE-2026-46124 is a hardening fix for the Linux kernel's ISO 9660 filesystem (isofs) NFS export handler. The vulnerability allows an authenticated NFS peer to supply a crafted file handle with an attacker-controlled block number that, while in-range for the backing device, exceeds the ISO filesystem's declared size. This can cause the server to read and interpret unrelated data (e.g., from adjacent partitions) as ISO directory metadata, which is then returned to the client. The issue complements CVE-2025-37780, which addressed undersized file handles. ## Affected Product - **Product:** Linux kernel ISO 9660 filesystem (isofs) - **Component:** `isofs_export_iget()`, `isofs_fh_to_dentry()`, `isofs_fh_to_parent()` - **Attack Vector:** Network (NFS), requires authenticated NFS client access - **Deployment Surface:** Narrow — requires ISO 9660 images exported over NFS, typically loop-mounted ## Root Cause The `isofs_fh_to_dentry()` and `isofs_fh_to_parent()` functions extract block numbers (`ifid->block`, `ifid->parent_block`) from NFS file handles and pass them to `isofs_export_iget()`. Prior to this fix, `isofs_export_iget()` only rejected `block == 0`, allowing any non-zero in-range block to proceed to `isofs_iget()` and `sb_bread()`. While out-of-range blocks return NULL cleanly via EIO, in-range blocks outside the ISO filesystem's `s_nzones` could read arbitrary adjacent data on the same block device. ## Impact - **Confidentiality:** Potential information disclosure — unrelated bytes from adjacent partitions may be interpreted as `iso_inode_info` fields and returned to the NFS client as dentry metadata. - **Integrity/Availability:** No direct impact; no memory safety violation occurs. - **Severity Context:** Low severity due to narrow deployment surface and authentication requirement, but reportable as defense-in-depth hardening. ## Resolution The fix adds a single validation in `isofs_export_iget()` to reject `block >= ISOFS_SB(sb)->s_nzones`, covering both `isofs_fh_to_dentry()` and `isofs_fh_to_parent()` call sites. This ensures block numbers are constrained to the actual ISO filesystem bounds. ## Timeline - **CVE Published:** 2026-05-28

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Linux system administrators running NFS servers that export ISO 9660 filesystems (particularly loop-mounted disk images), kernel security teams tracking filesystem hardening issues, and organizations with legacy optical media workflows exposed via NFS.

Technical summary

The Linux kernel's ISO 9660 filesystem driver lacked proper bounds checking on block numbers extracted from NFS file handles. An authenticated attacker could craft a file handle referencing in-range but out-of-bounds blocks, causing the server to return metadata derived from unrelated data (potentially from adjacent disk partitions). The fix adds validation against ISOFS_SB(sb)->s_nzones in isofs_export_iget().

Defensive priority

low

Recommended defensive actions

  • Apply kernel updates containing the isofs_export_iget() block number validation fix when available from your Linux distribution
  • Review NFS export configurations for ISO 9660 filesystems to ensure only trusted clients have access
  • Monitor for kernel stable updates referencing CVE-2026-46124 or the associated git.kernel.org commits
  • Consider restricting NFS exports of loop-mounted ISO images to administrative hosts only

Evidence notes

- CVE description confirms the fix validates `block >= ISOFS_SB(sb)->s_nzones` in `isofs_export_iget()` - References kernel commits implementing the fix across stable branches - Related to CVE-2025-37780 which addressed undersized file handles (`fh_len` check)

Official resources

2026-05-28