Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-46124— isofs: validate block number from NFS file handle in isofs_export_iget

CVSS 7.5 · High EPSS 0.03% · P11

Possible ATT&CK Techniques 1AI

T1557 · Adversary-in-the-Middle

Affected Version Matrix 27

VendorProductVersion RangeStatus
LinuxLinux5e7de55602c61c8ff28db075cc49c8dd6989d7e0< ee0024f5a7e3c73aa253869fae9650ae054093caaffected
63d5a3e207bf315a32c7d16de6c89753a759f95a< 31dbb4ba0f719ae7774e4c0c95172c9bf81692f5affected
0fdafdaef796816a9ed0fd7ac812932d569d9beb< 908a76f0b1038035e6ebb4f2293ce079f92e0a02affected
952e7a7e317f126d0a2b879fc531b716932d5ffa< bb0988ed4f2e26d59bbb58f644cb3a55b7521e21affected
56dfffea9fd3be0b3795a9ca6401e133a8427e0b< 0a1af74ae2177bda3aee0837a0546309aa539d0daffected
0405d4b63d082861f4eaff9d39c78ee9dc34f845< afbafeddf23db13fe2edb2d5c0bf4bbb13d7881baffected
0405d4b63d082861f4eaff9d39c78ee9dc34f845< 4c721a1d9b3c4fcaf59cc9b2281e3ec5a043e1a6affected
0405d4b63d082861f4eaff9d39c78ee9dc34f845< 24376458138387fb251e782e624c7776e9826796affected
… +19 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-46124

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
isofs: validate block number from NFS file handle in isofs_export_iget
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于isofs中isofs_export_iget函数未验证NFS文件句柄中的块号,可能导致读取无关数据。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 5e7de55602c61c8ff28db075cc49c8dd6989d7e0 ~ ee0024f5a7e3c73aa253869fae9650ae054093ca -
LinuxLinux 6.15 -

II. Public POCs for CVE-2026-46124

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-46124

登录查看更多情报信息。

Patches & Fixes for CVE-2026-46124 (8)

Same Patch Batch · Linux · 2026-05-28 · 138 CVEs total

CVE-2026-461379.8 CRITICALmptcp: pm: ADD_ADDR rtx: fix potential data-race
CVE-2026-461959.8 CRITICALsmb: client: validate dacloffset before building DACL pointers
CVE-2026-461159.8 CRITICALblock: add pgmap check to biovec_phys_mergeable
CVE-2026-461359.8 CRITICALnvmet-tcp: fix race between ICReq handling and queue teardown
CVE-2026-461559.1 CRITICALsmb/client: fix out-of-bounds read in smb2_compound_op()
CVE-2026-461859.1 CRITICALsmb/client: fix out-of-bounds read in symlink_data()
CVE-2026-461199.1 CRITICALlibceph: Fix slab-out-of-bounds access in auth message processing
CVE-2026-462128.8 HIGHbatman-adv: bla: prevent use-after-free when deleting claims
CVE-2026-461528.8 HIGHwifi: mac80211: drop stray 'static' from fast-RX rx_result
CVE-2026-461138.8 HIGHKVM: x86: Fix shadow paging use-after-free due to unexpected GFN
CVE-2026-462388.8 HIGHbatman-adv: stop caching unowned originator pointers in BAT IV
CVE-2026-461258.8 HIGHwifi: mac80211: remove station if connection prep fails
CVE-2026-461668.8 HIGHwifi: mac80211: use safe list iteration in radar detect work
CVE-2026-461988.8 HIGHbatman-adv: fix integer overflow on buff_pos
CVE-2026-461748.8 HIGHx86/CPU/AMD: Prevent improper isolation of shared resources in Zen2's op cache
CVE-2026-461388.1 HIGHBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
CVE-2026-462328.1 HIGHHID: playstation: Clamp num_touch_reports
CVE-2026-461767.8 HIGHRDMA/mlx5: Fix error path fall-through in mlx5_ib_dev_res_srq_init()
CVE-2026-461577.8 HIGHALSA: pcm: oss: Fix data race at accessing runtime.oss.trigger
CVE-2026-461457.8 HIGHRDMA/mana: Validate rx_hash_key_len

Showing top 20 of 138 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-46124

No comments yet

Leave a comment