PatchSiren cyber security CVE debrief

CVE-2026-46303 Linux CVE debrief

A vulnerability was found in the Linux kernel's isofs module. The vulnerability is caused by a lack of validation for the Rock Ridge CE continuation extent, which can lead to an out-of-range block or blocks belonging to an adjacent filesystem being accessed. This can result in an information leak. The vulnerability has been resolved by adding an ISOFS_SB(sb)->s_nzones bounds check to rock_continue().

Vendor: Linux
Product: Unknown
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-08
Original CVE updated: 2026-06-14
Advisory published: 2026-06-08
Advisory updated: 2026-06-14

Who should care

Users of the Linux kernel who use the isofs module, especially those who mount ISO 9660 volumes, should be aware of this vulnerability. An attacker could potentially exploit this vulnerability to leak information.

Technical summary

The Linux kernel's isofs module did not properly validate the Rock Ridge CE continuation extent, allowing for out-of-range blocks or blocks from adjacent filesystems to be accessed. This has been fixed by adding a bounds check.

Defensive priority

High

Recommended defensive actions

Apply the patch from the Linux kernel stable tree: [https://git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfc](ref-4)
Update to a Linux kernel version that includes this patch.

Evidence notes

The CVE-2026-46303 vulnerability was made public on [2026-06-08](cvePublishedAt).

Official resources

CVE-2026-46303 CVE record
CVE.org
CVE-2026-46303 NVD detail
NVD
Source item URL
nvd_modified
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67