{ "public_date" : "2026-05-28T00:00:00Z", "bugzilla" : { "description" : "kernel: isofs: validate block number from NFS file handle in isofs_export_iget", "id" : "2482646", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2482646" }, "cwe" : "CWE-1285", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nisofs: validate block number from NFS file handle in isofs_export_iget\nisofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker-\ncontrolled block number (ifid->block or ifid->parent_block) from\nthe NFS file handle to isofs_export_iget(), which only rejects\nblock == 0 before calling isofs_iget() and ultimately sb_bread().\nA crafted file handle with fh_len sufficient to pass the check\nadded by commit 0405d4b63d08 (\"isofs: Prevent the use of too small\nfid\") can still drive the server to read any in-range block on the\nbacking device as if it were an iso_directory_record. That earlier\nfix was assigned CVE-2025-37780.\nsb_bread() on an out-of-range block returns NULL cleanly via the\nEIO path, so there is no memory-safety violation. For in-range\nreads of adjacent-partition data on the same block device, the\nunrelated bytes end up in iso_inode_info fields that reach the NFS\nclient as dentry metadata. The deployment surface (isofs exported\nover NFS from loop-mounted images) is narrow and requires an\nauthenticated NFS peer, but the malformed-file-handle class is\nreportable as hardening next to the existing CVE-2025-37780 fix.\nReject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so\nthe check covers both isofs_fh_to_dentry() and isofs_fh_to_parent()\ncall sites with a single line.", "A flaw was found in the Linux kernel's `isofs` filesystem. An authenticated NFS (Network File System) peer can exploit this vulnerability by providing a specially crafted file handle. This allows the server to read arbitrary in-range blocks on the backing device, leading to information disclosure where unrelated data from adjacent partitions may be sent to the NFS client as directory entry metadata." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-46124\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46124\nhttps://lore.kernel.org/linux-cve-announce/2026052816-CVE-2026-46124-759e@gregkh/T" ], "name" : "CVE-2026-46124", "csaw" : false }