fs/adfs: validate nzones in adfs_validate_bblk()

Summary

CVE	CVE-2026-52992
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-06-24 17:17:10 UTC
Updated	2026-06-24 17:17:10 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: fs/adfs: validate nzones in adfs_validate_bblk() Reject ADFS disc records with a zero zone count during boot block validation, before the disc record is used. When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...) which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], causing an out-of-bounds write before the allocated buffer. adfs_validate_dr0() already rejects nzones != 1 for old-format images. Add the equivalent check to adfs_validate_bblk() for new-format images so that a crafted image with nzones == 0 is rejected at probe time. Found by syzkaller.

Risk And Classification

EPSS: 0.001840000 probability, percentile 0.081720000 (date 2026-06-25)

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected f6f14a0d71b0773a1d4147d1a3c33d537cd213ab 33aafd2418a59c96c0389d47ea09026661fa9ec6 git	Not specified
CNA	Linux	Linux	affected f6f14a0d71b0773a1d4147d1a3c33d537cd213ab 1f0ed0f57f0fc87e46fe19a05435c214dc464be2 git	Not specified
CNA	Linux	Linux	affected f6f14a0d71b0773a1d4147d1a3c33d537cd213ab 6ff8cca5cdb4f2e0ea6d28ecd78479dd3f221ebc git	Not specified
CNA	Linux	Linux	affected f6f14a0d71b0773a1d4147d1a3c33d537cd213ab a11372a8b1ceaa5e950a84b3b5fbf8228f25e277 git	Not specified
CNA	Linux	Linux	affected f6f14a0d71b0773a1d4147d1a3c33d537cd213ab 1586bd2d2fb436a26df20a70e78b000d34a7d159 git	Not specified
CNA	Linux	Linux	affected f6f14a0d71b0773a1d4147d1a3c33d537cd213ab a3fd5dc1c7b0aae947a67dc2e2c037d57557a4de git	Not specified
CNA	Linux	Linux	affected f6f14a0d71b0773a1d4147d1a3c33d537cd213ab 60d82592ac8b5637fbed871381eb0a16df0a492e git	Not specified
CNA	Linux	Linux	affected f6f14a0d71b0773a1d4147d1a3c33d537cd213ab dd9d3e16c2d5fa166e13dce07413be51f42c8f5d git	Not specified
CNA	Linux	Linux	affected 5.6	Not specified
CNA	Linux	Linux	unaffected 5.6 semver	Not specified
CNA	Linux	Linux	unaffected 5.10.258 5.10.* semver	Not specified
CNA	Linux	Linux	unaffected 5.15.209 5.15.* semver	Not specified
CNA	Linux	Linux	unaffected 6.1.175 6.1.* semver	Not specified
CNA	Linux	Linux	unaffected 6.6.141 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.91 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.33 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.10 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1 * original_commit_for_fix	Not specified

References

Reference	Source	Link	Tags
git.kernel.org/stable/c/6ff8cca5cdb4f2e0ea6d28ecd78479dd3f221ebc	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a3fd5dc1c7b0aae947a67dc2e2c037d57557a4de	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/60d82592ac8b5637fbed871381eb0a16df0a492e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/33aafd2418a59c96c0389d47ea09026661fa9ec6	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/dd9d3e16c2d5fa166e13dce07413be51f42c8f5d	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/1f0ed0f57f0fc87e46fe19a05435c214dc464be2	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/a11372a8b1ceaa5e950a84b3b5fbf8228f25e277	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/1586bd2d2fb436a26df20a70e78b000d34a7d159	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.