romfs: check sb_set_blocksize() return value

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-23238
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-03-04 15:16:14 UTC
Updated2026-06-02 14:16:48 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0.

Risk And Classification

Primary CVSS: v3.1 5.5 MEDIUM from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem Types: CWE-617

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Linux Linux Kernel All All All All

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 a381f0f61b35c8894b0bd0d6acef2d8f9b08b244 git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 f2521ab1f63a8c244f06a080319e5ff9a2e1bd95 git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 2c5829cd8fbbc91568c520b666898f57cdcb8cf6 git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 cbd9931e6456822067725354d83446c5bb813030 git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 9b203b8ddd7359270e8a694d0584743555128e2c git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 4b71ad7676564a94ec5f7d18298f51e8ae53db73 git Not specified
CNA Linux Linux affected 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0 git Not specified
CNA Linux Linux affected 2.6.12 Not specified
CNA Linux Linux unaffected 2.6.12 semver Not specified
CNA Linux Linux unaffected 5.10.251 5.10.* semver Not specified
CNA Linux Linux unaffected 5.15.201 5.15.* semver Not specified
CNA Linux Linux unaffected 6.1.164 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.127 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.74 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.13 6.18.* semver Not specified
CNA Linux Linux unaffected 6.19 * original_commit_for_fix Not specified
ADP Siemens RUGGEDCOM RST2428P affected V4.0 custom Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
cert-portal.siemens.com/productcert/html/ssa-253495.html 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e cert-portal.siemens.com
git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org Patch
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report