fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START
Summary
| CVE | CVE-2026-53130 |
|---|---|
| State | PUBLISHED |
| Assigner | Linux |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 17:17:28 UTC |
| Updated | 2026-07-06 15:26:25 UTC |
| Description | In the Linux kernel, the following vulnerability has been resolved: fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440). Later, omfs_make_empty() uses sbi->s_sys_blocksize - OMFS_DIR_START as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer. Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed. |
Risk And Classification
Primary CVSS: v3.1 7.8 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.001300000 probability, percentile 0.030040000 (date 2026-07-04)
Problem Types: CWE-191
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | Secondary | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Linux | Linux Kernel | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Linux | Linux | affected a3ab7155ea21aadc8a4d5687e91b3d876973185e fbc72f5c645155dc2ed3573243ed20f9913e3a54 git | Not specified |
| CNA | Linux | Linux | affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 5822a05a841a10794ad818620dd2af490b0705d3 git | Not specified |
| CNA | Linux | Linux | affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 754ff1bea3819a90c6f33cccfc1a299ef7609f07 git | Not specified |
| CNA | Linux | Linux | affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 131ea3e57fc22936ed0e2c8330f2e36106172f51 git | Not specified |
| CNA | Linux | Linux | affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 79f84af38c9fef9deb0e02c79eb969b5541c2644 git | Not specified |
| CNA | Linux | Linux | affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 6561afc38398e3518a29c5eebb975c30468f98a6 git | Not specified |
| CNA | Linux | Linux | affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 817f16ed62bc58a168417bfb5e859c2a370bab03 git | Not specified |
| CNA | Linux | Linux | affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 0621c385fda1376e967f37ccd534c26c3e511d14 git | Not specified |
| CNA | Linux | Linux | affected 2.6.27 | Not specified |
| CNA | Linux | Linux | unaffected 2.6.27 semver | Not specified |
| CNA | Linux | Linux | unaffected 5.10.258 5.10.* semver | Not specified |
| CNA | Linux | Linux | unaffected 5.15.209 5.15.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.1.175 6.1.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.6.141 6.6.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.12.91 6.12.* semver | Not specified |
| CNA | Linux | Linux | unaffected 6.18.33 6.18.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.0.10 7.0.* semver | Not specified |
| CNA | Linux | Linux | unaffected 7.1 * original_commit_for_fix | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git.kernel.org/stable/c/754ff1bea3819a90c6f33cccfc1a299ef7609f07 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/79f84af38c9fef9deb0e02c79eb969b5541c2644 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/817f16ed62bc58a168417bfb5e859c2a370bab03 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/5822a05a841a10794ad818620dd2af490b0705d3 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/131ea3e57fc22936ed0e2c8330f2e36106172f51 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/fbc72f5c645155dc2ed3573243ed20f9913e3a54 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/6561afc38398e3518a29c5eebb975c30468f98a6 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| git.kernel.org/stable/c/0621c385fda1376e967f37ccd534c26c3e511d14 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | git.kernel.org | Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.