CVE-2026-46303: Linux isofs Rock Ridge Information Disclosure Vulnerability
A vulnerability exists in the Linux kernel's ISO 9660 filesystem (isofs) Rock Ridge extension handler. When processing a specially crafted ISO image, the kernel fails to validate that continuation extent block numbers fall within the mounted volume's boundaries. An attacker with the ability to mount a malicious ISO—either through unprivileged auto-mounting via udisks2 on a desktop, or through privileged mount access—can cause the kernel to read data from arbitrary blocks on the same device. While memory safety is preserved because out-of-range reads cleanly fail, reads into adjacent filesystems can leak directory metadata through symbolic link text exposed to userspace. This is a validation gap in an existing security check that should have been closed alongside prior CE (continuation extent) fixes.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-401
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: isofs: validate Rock Ridge CE continuation extent against volume size rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the mounted ISO 9660 volume. commit e595447e177b ("[PATCH] rock.c: handle corrupted directories") added cont_offset and cont_size rejection for the CE continuation but did not validate the extent block number itself. commit f54e18f1b831 ("isofs: Fix infinite looping over CE entries") later capped the CE chain length at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked. With a crafted ISO mounted via udisks2 (desktop optical auto-mount) or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at an out-of-range block or at blocks belonging to an adjacent filesystem on the same block device. sb_bread() on an out-of-range block returns NULL cleanly via the block layer EIO path, so there is no memory-safety violation. For in-range reads of adjacent- filesystem data, the CE buffer is parsed as Rock Ridge records and only the text of SL sub-records reaches userspace through readlink(), which makes the info-leak channel narrow and difficult to exploit; still, rejecting the malformed CE outright matches the rejection shape already present in the same function for cont_offset and cont_size. Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next to the existing offset/size rejection, printing the same corrupted-directory-entry notice.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The rock_continue() function in the Linux kernel's isofs implementation processes Rock Ridge CE (continuation extent) records to handle larger directory entries. The vulnerability stems from missing bounds validation on the cont_extent field extracted from a CE record. Prior patches added validation for cont_offset and cont_size fields, and later imposed a maximum CE chain length (RR_MAX_CE_ENTRIES = 32), but the extent block number itself was never checked against ISOFS_SB(sb)->s_nzones. An attacker-controlled cont_extent value can reference blocks outside the mounted volume, including blocks belonging to other filesystems on the same block device. When sb_bread() is called with an out-of-range block, it returns NULL via the block layer EIO path (no memory corruption), but valid in-range reads of adjacent filesystem data allow the CE buffer to be parsed as Rock Ridge records. Text from SL (symbolic link) sub-records is copied to userspace, creating a narrow but exploitable information-disclosure channel. The fix adds a bounds check identical in structure to the existing cont_offset/cont_size validation.
Business impact
This vulnerability enables unprivileged or privileged information disclosure on systems that auto-mount optical media or user-supplied ISO images. Desktop environments using udisks2 are particularly at risk, as users can trigger automatic mounting of a malicious ISO without explicit CAP_SYS_ADMIN. The leaked data is limited to Rock Ridge metadata visible through readlink() calls, but may include directory structure and naming information from adjacent filesystems sharing the same block device. In multi-tenant or regulated environments where filesystem isolation is a security requirement, this represents a compliance and confidentiality risk. Servers processing untrusted ISO images (backup verification, archival systems) face a lower but non-zero risk depending on deployment context.
Affected systems
The Linux kernel across all versions with isofs Rock Ridge support are affected. This includes all major distributions (Red Hat Enterprise Linux, Ubuntu, Debian, SUSE, Fedora, etc.) when the isofs module is loaded. Desktop systems with udisks2 and optical drive support are particularly exposed. Embedded systems, containers, and VMs that mount ISO images for package installation or livebooting may also be vulnerable. The vulnerability requires a locally-mounted ISO image, so remote exposure is indirect: an attacker must provide the malicious ISO to a target system. Verify specific patched kernel versions against your vendor's security advisories.
Exploitability
Exploitability requires the ability to mount a crafted ISO image. On a desktop with udisks2, this can be achieved by a local user with minimal privilege—simply inserting physical media or opening a file manager on a downloaded ISO. In data center environments, privileged (CAP_SYS_ADMIN) access is typically required. The information disclosure is not arbitrary memory read; it is bounded to Rock Ridge metadata in adjacent filesystems on the same block device. Extracting useful data (filenames, symlink targets) requires knowledge of the adjacent filesystem layout and the attacker's ability to interpret Rock Ridge structures. No kernel crash, privilege escalation, or code execution is possible—the attack surface is purely informational. Exploitation difficulty is low for local access scenarios, moderate for crafting a profitable payload.
Remediation
Apply a kernel security update that adds bounds validation for the cont_extent field against s_nzones in rock_continue(). This patch should be included in future stable kernel releases and backported to LTS branches. The fix is a straightforward validation check, not a structural change, so integration and testing burden is minimal. In the interim, disable isofs kernel module loading if optical media or ISO mounting is not required, or restrict mount privileges to trusted administrators. Use mount options to disable Rock Ridge extension parsing if supported by your kernel version, though this may reduce ISO functionality.
Patch guidance
Monitor your Linux distribution's security bulletins for kernel updates addressing CVE-2026-46303. Most distributions will release patched kernel versions within 2–4 weeks of vulnerability publication. For Red Hat Enterprise Linux, Canonical, and SUSE, check their respective CVE tracking pages and apply the latest kernel errata or security updates. Verify the patch includes the s_nzones bounds check in rock_continue() by reviewing the commit message or patch file. If a kernel update is not yet available from your vendor, confirm the advisory's expected release date before deploying compensating controls. Test patches in a staging environment before production rollout to ensure ISO functionality and performance are unaffected.
Detection guidance
Monitor kernel logs for 'corrupted directory entry' messages from isofs, which indicate a rejected CE record. These logs may increase on systems attempting to mount malicious ISOs. Endpoint detection and response (EDR) tools should flag unusual isofs mount attempts with user-supplied media or files. Network detection is not applicable; focus on local filesystem access auditing. In forensic analysis, examine auditd logs for mount syscalls with untrusted ISO images, and correlate with readlink() or open() calls on symlink-heavy directory trees. No userspace signature is available; detection is behavioral and log-based. Systems with strict mount policies should log all mount attempts regardless of privilege level.
Why prioritize this
CVE-2026-46303 scores 8.2 (HIGH) due to high confidentiality impact and low attack complexity. Prioritization should reflect your environment's exposure to untrusted ISO mounting: desktop systems and development environments require faster patching; servers in locked-down data centers can follow standard patch cycles. The lack of privilege escalation or denial-of-service impact means this is not a critical emergency, but the ease of exploitation on desktop systems and the simplicity of the fix warrant prompt attention within 30 days. If your organization does not mount user-supplied ISO images, risk is lower and standard patch timelines apply.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) reflects: high confidentiality impact (C:H) from potential information disclosure of adjacent filesystem metadata; low integrity impact (I:L) because only directory metadata, not code or system state, is at risk; no availability impact (A:N) because the kernel does not crash; network-adjacent attack surface (AV:N) because ISO mounting can be triggered by unprivileged users on networked systems receiving files; low complexity (AC:L) because no race conditions or advanced techniques are needed; no privilege requirement (PR:N) in desktop auto-mount scenarios. The score appropriately flags this as actionable but not critical, as exploitability is bounded and impact is informational rather than catastrophic.
Frequently asked questions
Can this vulnerability lead to privilege escalation or kernel code execution?
No. The vulnerability is strictly an information-disclosure issue. No memory corruption, code execution, or privilege escalation is possible. The kernel properly rejects out-of-range reads and only parses valid in-range data as Rock Ridge records, limiting exposure to metadata already on the block device.
Do I need to worry about this if I don't mount ISO images or optical media?
Likely not. This vulnerability requires mounting a crafted ISO image. If your systems do not auto-mount media and you do not use ISO mounting for deployment or archival, your risk is minimal. However, development environments, CI/CD systems that use ISO liveboots, and desktop systems with udisks2 should patch.
What data can an attacker actually leak with this vulnerability?
The attacker can potentially leak directory structure and filenames from adjacent filesystems on the same block device, visible through Rock Ridge symbolic link text. This is a narrow channel compared to arbitrary memory read, but in multi-tenant or high-security environments it can still pose a risk. The attacker must have control over the ISO image and knowledge of the adjacent filesystem layout to extract useful data.
How long will it take for my vendor to release a patch?
Kernel security patches typically roll out within 2–4 weeks of publication. Check your Linux distribution's CVE tracker (Red Hat, Ubuntu, SUSE, Debian) for estimated release dates. If no update is available, you can disable isofs module loading or restrict mount privileges to administrators as a temporary measure.
This analysis is provided for informational purposes and does not constitute legal, compliance, or investment advice. The vulnerability details are derived from published advisory data and the Linux kernel commit history; specific patch versions, release timelines, and vendor-specific impact should be verified against official distribution security bulletins. Organizations are responsible for assessing their own environment's exposure, testing patches in staging, and determining appropriate remediation timelines based on their risk tolerance and operational constraints. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-46178HIGHLinux Kernel RDMA/mlx4 Resource Leak – HIGH Severity
- CVE-2026-46201HIGHLinux Xe Graphics Driver DMA-Buf Attachment Leak
- CVE-2026-46309HIGHLinux xe GPU Driver Memory Disclosure via Incoherent Cache Access
- CVE-2026-46109MEDIUMLinux Kernel USB ULPI Memory Leak – CVSS 5.5 Medium
- CVE-2026-46141MEDIUMPowerPC XIVE Memory Leak in MSI-X Interrupt Allocation
- CVE-2026-46143MEDIUMLinux QCOM Audio Driver Memory Leak – Availability Risk
- CVE-2026-46147MEDIUMLinux ARM64 KVM vCPU Initialization Pin Leak and Race Condition
- CVE-2026-46151MEDIUMLinux Kernel USB Printer Driver Heap Memory Leak