CVE-2026-23238

MEDIUM EPSS 8.8%
Published Mar 4, 20263mo ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Mar 4, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
8.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-617

Affected Products 18

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <5.10.251
linuxlinux_kernel*≥5.11  –  <5.15.201
linuxlinux_kernel*≥5.16  –  <6.1.164
linuxlinux_kernel*≥6.2  –  <6.6.127
linuxlinux_kernel*≥6.7  –  <6.12.74
linuxlinux_kernel*≥6.13  –  <6.18.13
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any
linuxlinux_kernel6.19any

References 8

  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/html/ssa-253495.html
  • git.kernel.org https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95
    Patch