{ "threat_severity" : "Moderate", "public_date" : "2026-03-04T00:00:00Z", "bugzilla" : { "description" : "kernel: romfs: check sb_set_blocksize() return value", "id" : "2444389", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2444389" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-252", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nromfs: check sb_set_blocksize() return value\nromfs_fill_super() ignores the return value of sb_set_blocksize(), which\ncan fail if the requested block size is incompatible with the block\ndevice's configuration.\nThis can be triggered by setting a loop device's block size larger than\nPAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs\nfilesystem on that device.\nWhen sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the\ndevice has logical_block_size=32768, bdev_validate_blocksize() fails\nbecause the requested size is smaller than the device's logical block\nsize. sb_set_blocksize() returns 0 (failure), but romfs ignores this and\ncontinues mounting.\nThe superblock's block size remains at the device's logical block size\n(32768). Later, when sb_bread() attempts I/O with this oversized block\nsize, it triggers a kernel BUG in folio_set_bh():\nkernel BUG at fs/buffer.c:1582!\nBUG_ON(size > PAGE_SIZE);\nFix by checking the return value of sb_set_blocksize() and failing the\nmount with -EINVAL if it returns 0.", "A flaw was found in the Linux kernel's romfs filesystem implementation. The romfs_fill_super() function ignores the return value of sb_set_blocksize(). When mounting a romfs filesystem on a device with an incompatible block size (larger than PAGE_SIZE), the mount proceeds with an incorrect block size, eventually triggering a kernel BUG in folio_set_bh() when attempting I/O operations." ], "statement" : "This flaw requires the ability to configure a loop device's block size and mount a romfs filesystem on it. While the configuration sequence requires privileged access, once set up, the kernel BUG triggers during normal filesystem operations. Romfs is a read-only filesystem primarily used in embedded systems and initramfs.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23238\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23238\nhttps://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23238-47f3@gregkh/T" ], "name" : "CVE-2026-23238", "mitigation" : { "value" : "To mitigate this issue, prevent the romfs module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }