How is CVE-2026-46124 exploited?

Network reachability (required): The attacker must reach the NFS server over the network and supply a crafted file handle through the NFS protocol. Authentication (required): An authenticated NFS peer is required; the vulnerability is not reachable by an unauthenticated caller, though any low-privilege NFS account is sufficient. Victim interaction (not-required): No user action on the server side is needed; the malformed file handle is processed automatically by the kernel NFS export path. Attack complexity (info): The exploit is straightforward and condition-free once NFS access is established; no race conditions or special memory layout are required.

What is the impact of CVE-2026-46124?

The attacker reads raw bytes from arbitrary in-range blocks on the server's backing block device, bypassing normal filesystem access controls. Those bytes are returned to the NFS client as dentry metadata fields, potentially exposing data from adjacent partitions or filesystem structures on the same device. Confidentiality of other filesystem data co-located on the same block device is compromised; no data is modified and no service disruption occurs.

Back to search

HIGHCVE-2026-46124Published 2026-05-28Modified 2026-05-30CNA Linux

CVE-2026-46124: isofs: validate block number from NFS file handle in isofs_export_iget

In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An information-disclosure vulnerability exists in the Linux kernel's ISO 9660 filesystem (isofs) NFS export path. An authenticated NFS peer can supply a crafted file handle containing an arbitrary block number, causing the server to read and return metadata from unrelated blocks on the backing block device. Successful exploitation leaks raw on-disk bytes to the NFS client as dentry metadata; there is no memory-safety violation, code execution, or write capability. A patched-image rebuild at the fix commits is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Linux kernel security feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected kernel versions. Any container image whose base layer or installed kernel package falls within the affected version ranges is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) per the published v3.1 vector and weights it further against each customer environment's compliance policy, for example elevated priority in environments where NFS exports of loop-mounted ISO images are a known workload pattern. Findings are routed to the relevant team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the fix commits (including the 5.5 stable tag and the three upstream SHA targets) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the NFS server over the network and supply a crafted file handle through the NFS protocol.
AuthenticationRequired
An authenticated NFS peer is required; the vulnerability is not reachable by an unauthenticated caller, though any low-privilege NFS account is sufficient.
Victim interactionNot required
No user action on the server side is needed; the malformed file handle is processed automatically by the kernel NFS export path.
Attack complexityDetail
The exploit is straightforward and condition-free once NFS access is established; no race conditions or special memory layout are required.

Blast Radius

The attacker reads raw bytes from arbitrary in-range blocks on the server's backing block device, bypassing normal filesystem access controls.
Those bytes are returned to the NFS client as dentry metadata fields, potentially exposing data from adjacent partitions or filesystem structures on the same device.
Confidentiality of other filesystem data co-located on the same block device is compromised; no data is modified and no service disruption occurs.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and patched-image rebuild for CVE-2026-46124 are all available as platform capabilities. For environments with auto-remediation enabled, HarborGuard can rebuild affected images at the patched commit level, run regression tests, and open a pull request against impacted workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes. Where compliance policy restricts auto-remediation, the finding is surfaced in the triage queue with CVSS 7.5 HIGH scoring and ownership routing so teams can act manually. Because the deployment surface is narrow (isofs volumes exported over NFS from loop-mounted images), customers can also apply a compensating control by enforcing network policy to restrict NFS export access to known trusted peers until a patched kernel is deployed.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 0
Affected Products: 2

Fix available

00a1af74ae2177bda3aee0837a0546309aa539d0d24376458138387fb251e782e624c7776e98267964c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a65.55.115.166.26.6.1406.12.886.156.18.307.0.77.1-rc2afbafeddf23db13fe2edb2d5c0bf4bbb13d7881bbb0988ed4f2e26d59bbb58f644cb3a55b7521e21

Affected packages

Linux / Linux
< bb0988ed4f2e26d59bbb58f644cb3a55b7521e21 (from 952e7a7e317f126d0a2b879fc531b716932d5ffa) · < 0a1af74ae2177bda3aee0837a0546309aa539d0d (from 56dfffea9fd3be0b3795a9ca6401e133a8427e0b) · < afbafeddf23db13fe2edb2d5c0bf4bbb13d7881b (from 0405d4b63d082861f4eaff9d39c78ee9dc34f845) · < 4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6 (from 0405d4b63d082861f4eaff9d39c78ee9dc34f845) · < 24376458138387fb251e782e624c7776e9826796 (from 0405d4b63d082861f4eaff9d39c78ee9dc34f845) · ee01a309ebf598be1ff8174901ed6e91619f1749
Linux / Linux
6.15
Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available