HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46303Published Modified CNA Linux

CVE-2026-46303: isofs: validate Rock Ridge CE continuation extent against volume size

In the Linux kernel, the following vulnerability has been resolved: isofs: validate Rock Ridge CE continuation extent against volume size rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the mounted ISO 9660 volume. commit e595447e177b ("[PATCH] rock.c: handle corrupted directories") added cont_offset and cont_size rejection for the CE continuation but did not validate the extent block number itself. commit f54e18f1b831 ("isofs: Fix infinite looping over CE entries") later capped the CE chain length at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked. With a crafted ISO mounted via udisks2 (desktop optical auto-mount) or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at an out-of-range block or at blocks belonging to an adjacent filesystem on the same block device. sb_bread() on an out-of-range block returns NULL cleanly via the block layer EIO path, so there is no memory-safety violation. For in-range reads of adjacent- filesystem data, the CE buffer is parsed as Rock Ridge records and only the text of SL sub-records reaches userspace through readlink(), which makes the info-leak channel narrow and difficult to exploit; still, rejecting the malformed CE outright matches the rejection shape already present in the same function for cont_offset and cont_size. Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next to the existing offset/size rejection, printing the same corrupted-directory-entry notice.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
0
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds block read vulnerability exists in the Linux kernel's isofs (ISO 9660) filesystem driver, specifically in the Rock Ridge CE continuation extent parsing logic. The flaw is reachable over the network when a crafted ISO image is auto-mounted via a desktop facility like udisks2, and no authentication or user interaction is required. Successful exploitation leaks data from adjacent filesystem blocks through the readlink() system call, while also offering limited tamper potential via misrouted CE record parsing. A patched-image rebuild is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-46303 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that carry an affected kernel or kernel module layer.

Available
Triage

HarborGuard is capable of scoring this CVE at 8.2 HIGH using the published CVSS v3.1 vector and weighting that score against each environment's compliance policy to determine priority; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild targeting the fix commits listed in the advisory is available on HarborGuard for any image found to carry an affected kernel version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerability is reachable over the network (AV:N); an attacker can deliver a crafted ISO image via any network-accessible channel that triggers auto-mounting, such as a desktop optical auto-mount facility exposed through udisks2.

  • AuthenticationNot required

    No authentication is required (PR:N); the attacker does not need any account or credential on the target system to supply the malicious ISO image.

  • Victim interactionNot required

    No victim interaction is required (UI:N); the filesystem parse path is triggered automatically on mount without any additional user action beyond the mount event itself.

  • Attack complexityDetail

    Attack complexity is low (AC:L); exploiting the missing bounds check requires only a crafted ISO with an out-of-range CE block number and no special timing, race conditions, or environmental prerequisites.

Blast Radius

  • Reads raw data from blocks belonging to an adjacent filesystem on the same block device, with the content of SL sub-records surfacing to userspace through the readlink() call.
  • Leaks filesystem-level data (path strings, symlink targets) that may include sensitive path information stored in adjacent filesystem regions.
  • Misroutes CE record parsing into attacker-controlled block data, giving limited influence over which Rock Ridge records the kernel processes for that mount.

How HarborGuard Handles This

Available on HarborGuard: images carrying a Linux kernel version affected by CVE-2026-46303 are flagged automatically as soon as the CVE is ingested, typically within minutes of publication. For customers who opt into auto-remediation, HarborGuard rebuilds the image at a patched kernel version, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit automated remediation, HarborGuard surfaces the finding with CVSS context and fix-version detail so engineering teams can act manually. As a compensating control while a rebuild is staged, customers can apply network-policy isolation to restrict which workloads can trigger ISO auto-mount paths and limit exposure of the udisks2 D-Bus interface.

See how HarborGuard automates this

Fix available

02.6.3322b36fa081f38ab397c7697f9d539211b51a0cfc3.33.53.113.133.153.183.195.10.2585.15.2096.1.1756.6.1406.12.886.18.307.0.77.1-rc28356fb821016797f5677cbeee5ddc0d32a95b4bea36d990f591320e9dd379ab30063ebfe91d47e1fbf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9c9b37c8b73f6368e4750e5ccb0632c380b43c6e5d582e12378bc1637f337622feef762f53c43fd57e69da8eeab74b4f4505024c38a17bce060fe7df8ef048470c90bc8c1b8318bb2ce329da9ef64b9fe
Affected packages
  • Linux / Linux
    < 8356fb821016797f5677cbeee5ddc0d32a95b4be (from f54e18f1b831c92f6512d2eedb224cd63d607d3d) · < d582e12378bc1637f337622feef762f53c43fd57 (from f54e18f1b831c92f6512d2eedb224cd63d607d3d) · < bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9 (from f54e18f1b831c92f6512d2eedb224cd63d607d3d) · < c9b37c8b73f6368e4750e5ccb0632c380b43c6e5 (from f54e18f1b831c92f6512d2eedb224cd63d607d3d) · < 22b36fa081f38ab397c7697f9d539211b51a0cfc (from f54e18f1b831c92f6512d2eedb224cd63d607d3d) · < e69da8eeab74b4f4505024c38a17bce060fe7df8 (from f54e18f1b831c92f6512d2eedb224cd63d607d3d)
  • Linux / Linux
    3.19
    Fixed in 0, 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
References