{"api_version":"1","generated_at":"2026-06-25T14:27:58+00:00","cve":"CVE-2026-53130","urls":{"html":"https://cve.report/CVE-2026-53130","api":"https://cve.report/api/cve/CVE-2026-53130.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53130","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53130"},"summary":{"title":"fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START\n\nomfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),\nbut it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).\n\nLater, omfs_make_empty() uses\n\n    sbi->s_sys_blocksize - OMFS_DIR_START\n\nas the length argument to memset().  Since s_sys_blocksize is u32,\na crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes\nan unsigned underflow there, wrapping to a value near 2^32.  That drives\na ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel\nmemory far beyond the backing block buffer.\n\nAdd the corresponding lower-bound check alongside the existing upper-bound\ncheck in omfs_fill_super(), so that malformed images are rejected during\nsuperblock validation before any filesystem data is processed.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:28","updated_at":"2026-06-24 17:17:28"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/754ff1bea3819a90c6f33cccfc1a299ef7609f07","name":"https://git.kernel.org/stable/c/754ff1bea3819a90c6f33cccfc1a299ef7609f07","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/79f84af38c9fef9deb0e02c79eb969b5541c2644","name":"https://git.kernel.org/stable/c/79f84af38c9fef9deb0e02c79eb969b5541c2644","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/817f16ed62bc58a168417bfb5e859c2a370bab03","name":"https://git.kernel.org/stable/c/817f16ed62bc58a168417bfb5e859c2a370bab03","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/5822a05a841a10794ad818620dd2af490b0705d3","name":"https://git.kernel.org/stable/c/5822a05a841a10794ad818620dd2af490b0705d3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/131ea3e57fc22936ed0e2c8330f2e36106172f51","name":"https://git.kernel.org/stable/c/131ea3e57fc22936ed0e2c8330f2e36106172f51","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/fbc72f5c645155dc2ed3573243ed20f9913e3a54","name":"https://git.kernel.org/stable/c/fbc72f5c645155dc2ed3573243ed20f9913e3a54","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6561afc38398e3518a29c5eebb975c30468f98a6","name":"https://git.kernel.org/stable/c/6561afc38398e3518a29c5eebb975c30468f98a6","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0621c385fda1376e967f37ccd534c26c3e511d14","name":"https://git.kernel.org/stable/c/0621c385fda1376e967f37ccd534c26c3e511d14","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53130","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53130","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a3ab7155ea21aadc8a4d5687e91b3d876973185e fbc72f5c645155dc2ed3573243ed20f9913e3a54 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 5822a05a841a10794ad818620dd2af490b0705d3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 754ff1bea3819a90c6f33cccfc1a299ef7609f07 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 131ea3e57fc22936ed0e2c8330f2e36106172f51 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 79f84af38c9fef9deb0e02c79eb969b5541c2644 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 6561afc38398e3518a29c5eebb975c30468f98a6 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 817f16ed62bc58a168417bfb5e859c2a370bab03 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected a3ab7155ea21aadc8a4d5687e91b3d876973185e 0621c385fda1376e967f37ccd534c26c3e511d14 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 2.6.27","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 2.6.27 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.258 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.209 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.175 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.141 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.91 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.33 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/omfs/inode.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"fbc72f5c645155dc2ed3573243ed20f9913e3a54","status":"affected","version":"a3ab7155ea21aadc8a4d5687e91b3d876973185e","versionType":"git"},{"lessThan":"5822a05a841a10794ad818620dd2af490b0705d3","status":"affected","version":"a3ab7155ea21aadc8a4d5687e91b3d876973185e","versionType":"git"},{"lessThan":"754ff1bea3819a90c6f33cccfc1a299ef7609f07","status":"affected","version":"a3ab7155ea21aadc8a4d5687e91b3d876973185e","versionType":"git"},{"lessThan":"131ea3e57fc22936ed0e2c8330f2e36106172f51","status":"affected","version":"a3ab7155ea21aadc8a4d5687e91b3d876973185e","versionType":"git"},{"lessThan":"79f84af38c9fef9deb0e02c79eb969b5541c2644","status":"affected","version":"a3ab7155ea21aadc8a4d5687e91b3d876973185e","versionType":"git"},{"lessThan":"6561afc38398e3518a29c5eebb975c30468f98a6","status":"affected","version":"a3ab7155ea21aadc8a4d5687e91b3d876973185e","versionType":"git"},{"lessThan":"817f16ed62bc58a168417bfb5e859c2a370bab03","status":"affected","version":"a3ab7155ea21aadc8a4d5687e91b3d876973185e","versionType":"git"},{"lessThan":"0621c385fda1376e967f37ccd534c26c3e511d14","status":"affected","version":"a3ab7155ea21aadc8a4d5687e91b3d876973185e","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/omfs/inode.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"2.6.27"},{"lessThan":"2.6.27","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.258","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.209","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.175","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.141","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.91","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.33","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.258","versionStartIncluding":"2.6.27","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.209","versionStartIncluding":"2.6.27","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.175","versionStartIncluding":"2.6.27","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.141","versionStartIncluding":"2.6.27","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.91","versionStartIncluding":"2.6.27","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.33","versionStartIncluding":"2.6.27","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"2.6.27","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"2.6.27","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START\n\nomfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),\nbut it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).\n\nLater, omfs_make_empty() uses\n\n    sbi->s_sys_blocksize - OMFS_DIR_START\n\nas the length argument to memset().  Since s_sys_blocksize is u32,\na crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes\nan unsigned underflow there, wrapping to a value near 2^32.  That drives\na ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel\nmemory far beyond the backing block buffer.\n\nAdd the corresponding lower-bound check alongside the existing upper-bound\ncheck in omfs_fill_super(), so that malformed images are rejected during\nsuperblock validation before any filesystem data is processed."}],"providerMetadata":{"dateUpdated":"2026-06-24T16:30:57.227Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/fbc72f5c645155dc2ed3573243ed20f9913e3a54"},{"url":"https://git.kernel.org/stable/c/5822a05a841a10794ad818620dd2af490b0705d3"},{"url":"https://git.kernel.org/stable/c/754ff1bea3819a90c6f33cccfc1a299ef7609f07"},{"url":"https://git.kernel.org/stable/c/131ea3e57fc22936ed0e2c8330f2e36106172f51"},{"url":"https://git.kernel.org/stable/c/79f84af38c9fef9deb0e02c79eb969b5541c2644"},{"url":"https://git.kernel.org/stable/c/6561afc38398e3518a29c5eebb975c30468f98a6"},{"url":"https://git.kernel.org/stable/c/817f16ed62bc58a168417bfb5e859c2a370bab03"},{"url":"https://git.kernel.org/stable/c/0621c385fda1376e967f37ccd534c26c3e511d14"}],"title":"fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53130","datePublished":"2026-06-24T16:30:57.227Z","dateReserved":"2026-06-09T07:44:35.386Z","dateUpdated":"2026-06-24T16:30:57.227Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:28","lastModifiedDate":"2026-06-24 17:17:28","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53130","Ordinal":"1","Title":"fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START","CVE":"CVE-2026-53130","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53130","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nfs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START\n\nomfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE),\nbut it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).\n\nLater, omfs_make_empty() uses\n\n    sbi->s_sys_blocksize - OMFS_DIR_START\n\nas the length argument to memset().  Since s_sys_blocksize is u32,\na crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes\nan unsigned underflow there, wrapping to a value near 2^32.  That drives\na ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel\nmemory far beyond the backing block buffer.\n\nAdd the corresponding lower-bound check alongside the existing upper-bound\ncheck in omfs_fill_super(), so that malformed images are rejected during\nsuperblock validation before any filesystem data is processed.","Type":"Description","Title":"fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START"}]}}}