HIGH 7.5

CVE-2026-46124

A vulnerability in the Linux kernel's ISO 9660 filesystem (isofs) allows an attacker to read arbitrary blocks from a storage device when the filesystem is exported over NFS. An authenticated attacker can craft a malicious NFS file handle that causes the kernel to interpret unrelated data on the underlying block device as if it were part of the ISO filesystem, leaking that data to the NFS client. While this does not cause memory corruption or system crashes, it exposes sensitive information from adjacent partitions or disk regions. The issue affects systems that export ISO images (typically loop-mounted) over NFS, which is a narrower deployment scenario but still represents a data confidentiality risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
Affected products
8 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the isofs_export_iget() function, which validates NFS file handles for ISO 9660 filesystems. The function receives block numbers (ifid->block or ifid->parent_block) from the NFS file handle and passes them to isofs_iget() and ultimately sb_bread() without sufficient validation. A previous partial fix (CVE-2025-37780) enforced minimum file handle length but did not validate the block number against the filesystem's zone boundary (ISOFS_SB(sb)->s_nzones). An attacker can supply a crafted file handle with a valid length but an out-of-bounds block number. When sb_bread() reads this block, it returns data from the underlying storage device that may belong to adjacent partitions or unrelated filesystem structures. This data then populates iso_inode_info fields that are exposed to the NFS client as dentry metadata. The fix adds a single validation check to reject block numbers greater than or equal to s_nzones in isofs_export_iget().

Business impact

Organizations deploying ISO 9660 filesystems via NFS (commonly loop-mounted images used for software distribution, archives, or testing environments) face a data confidentiality breach. An authenticated attacker on the NFS network can enumerate and retrieve data blocks from the underlying storage device, potentially exposing sensitive files from adjacent partitions, unrelated filesystems, or the same device. The impact is limited to environments where isofs is actively exported over NFS with network-accessible NFS services, but those deployments may include development infrastructure, content delivery systems, or backup repositories where data sensitivity varies. No integrity or availability impact occurs; this is purely an information disclosure issue.

Affected systems

All versions of the Linux kernel are affected. The vulnerability impacts systems running isofs with NFS export enabled. Typical affected deployments include: (1) development and testing environments mounting ISO images as loop devices and sharing them via NFS; (2) content delivery or archive systems using NFS-exported ISO images; (3) virtual machine infrastructure using shared ISO libraries over NFS. The risk is realized only when isofs is exported over NFS and accessible to authenticated clients; local isofs mounts are not vulnerable to the NFS file handle manipulation vector.

Exploitability

Exploitation requires an authenticated NFS peer with network access to the NFS service. No pre-authentication or privilege escalation within the target system is needed; the attacker leverages their NFS client credentials to construct and submit malformed file handles. Creating a malicious file handle is straightforward for an attacker with basic NFS protocol knowledge. The lack of a publicly available exploit and the narrow deployment surface (isofs over NFS is uncommon compared to mainstream filesystems) have likely limited practical exploitation, but the attack is reliable and deterministic once access is granted. CVSS 7.5 reflects high confidentiality impact over a network without requiring user interaction or special system configuration.

Remediation

Apply a kernel update that includes the patch adding block number validation in isofs_export_iget(). The fix checks that block < ISOFS_SB(sb)->s_nzones before proceeding. Users unable to patch immediately should restrict NFS access to the isofs mount to trusted clients only, disable NFS export of isofs mounts where feasible, or isolate isofs NFS services to private networks. Monitor NFS client access logs for unusual file handle requests or repeated failures that may indicate probe attempts.

Patch guidance

Consult your Linux distribution's security advisory and kernel update channels for the specific version addressing CVE-2026-46124. Mainline Linux kernel users should update to the version containing the isofs_export_iget() validation patch (verify against the vendor advisory for exact version numbers). Most major distributions (Red Hat, Debian, Ubuntu, SUSE, etc.) will backport this fix to their supported kernel versions; check your vendor's advisory page for timeline and availability. Test the patch in a non-production environment that mirrors your isofs-over-NFS deployment before rolling out.

Detection guidance

Monitor NFS server logs for rejected or suspicious file handle operations on isofs mounts. Configure NFS audit logging to track client access patterns and watch for repeated failures or out-of-sequence block access requests. If possible, enable kernel audit rules to log isofs operations and block number parameters. Network-level detection is challenging without deep packet inspection of NFS traffic, but an IDS configured to monitor for NFS protocol anomalies may flag suspicious file handle structures. Verify that your NFS server enforces client authentication and that only trusted systems access isofs exports.

Why prioritize this

Assign this a HIGH priority for environments actively exporting isofs over NFS, particularly if those exports are accessible over the network or to untrusted clients. Organizations with local-only isofs mounts or no NFS exports of ISO images can deprioritize this below critical firmware and hypervisor issues but should still schedule patching within a standard change window. The confidentiality risk and ease of exploitation (for authenticated attackers) justify rapid patching in affected deployments. The narrow deployment surface means this is unlikely to be exploited at internet scale, but it is a hardening issue that should not be deferred indefinitely.

Risk score, explained

CVSS 3.1 score of 7.5 (HIGH) reflects: Attack Vector=Network (unauthenticated access to NFS service), Attack Complexity=Low (no special conditions required), Privileges Required=None (NFS credentials alone suffice), User Interaction=None (automatic upon malformed file handle), and Confidentiality Impact=High (arbitrary data disclosure from the block device). Integrity and Availability are Not Impacted because the attack reads data without modifying it or disrupting service. The score correctly accounts for the ease and reliability of exploitation but does not inflate severity due to the limited deployment scope; in a deployment where isofs is NFS-exported and network-accessible, HIGH severity is appropriate.

Frequently asked questions

Does this vulnerability affect my system if I only use ISO files locally (not exported over NFS)?

No. This vulnerability is specific to NFS file handle processing. If you mount ISO images locally or use them only within a single system, you are not affected. The vulnerability requires an attacker to craft and submit a malicious NFS file handle over the network, which is only possible if isofs is actively exported via NFS.

Can an unauthenticated attacker exploit this?

No. Exploitation requires the attacker to be an authenticated NFS client with valid credentials or permissions to access the NFS export. An attacker on the network who cannot authenticate to the NFS service cannot exploit this vulnerability. Ensure your NFS service enforces strong authentication and restricts client access to trusted systems.

What data is actually exposed?

Data from the underlying block device that contains the ISO filesystem. For single-partition systems, this is typically empty space or metadata. On multi-partition devices or shared storage, an attacker could read data from adjacent partitions, unrelated filesystems, or backup regions. The exposed data is returned to the NFS client as if it were part of the ISO directory structure, so it appears in file metadata and directory listings.

Is this the same as CVE-2025-37780?

No, they are related but distinct. CVE-2025-37780 was a partial fix that enforced minimum file handle length to prevent buffer underflows. This vulnerability (CVE-2026-46124) bypasses that fix by using a valid-length file handle with an out-of-bounds block number. Both should be patched together for complete hardening of isofs NFS export validation.

This analysis is provided for informational purposes and reflects the vulnerability details available as of the publication date. Patch availability, timelines, and specific affected kernel versions should be verified against official Linux vendor security advisories and kernel.org release notes. Exploitation scenarios described are illustrative and do not constitute instructions for unauthorized access. Organizations should test patches in non-production environments before production deployment. Security postures and risk tolerance vary; prioritization should align with your organization's asset criticality and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities

  • CVE-2026-10001HIGH

    CVE-2026-10001: Chrome Sandbox Escape via PerformanceManager Use-After-Free

  • CVE-2026-10002HIGH

    CVE-2026-10002: Google Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)

  • CVE-2026-10003HIGH

    CVE-2026-10003: Chrome Use-After-Free Code Execution Vulnerability Analysis

  • CVE-2026-10006HIGH

    CVE-2026-10006: Chrome WebAudio Race Condition Remote Code Execution

  • CVE-2026-10007HIGH

    CVE-2026-10007: Chrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)

  • CVE-2026-10009HIGH

    CVE-2026-10009: Chrome Skia Integer Overflow Sandbox Escape – Patch Guidance

  • CVE-2026-10012HIGH

    CVE-2026-10012: Chrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)

  • CVE-2026-10013HIGH

    CVE-2026-10013: Use-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment