CVE-2026-46124

High

In the Linux kernel, the following vulnerability has been resolved: isofs: validate block number from NFS file handle in isofs_export_iget isofs_fh_to_dentry() and isofs_fh_to_parent() pass an attacker- controlled block number (ifid->block or ifid->parent_block) from the NFS file handle to isofs_export_iget(), which only rejects block == 0 before calling isofs_iget() and ultimately sb_bread(). A crafted file handle with fh_len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso_directory_record. That earlier fix was assigned CVE-2025-37780. sb_bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso_inode_info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix. Reject block >= ISOFS_SB(sb)->s_nzones in isofs_export_iget() so the check covers both isofs_fh_to_dentry() and isofs_fh_to_parent() call sites with a single line.

Package Linux Kernel
Published 2026-05-28
Last modified 2026-06-01
CVSS version 3.1
Patch available
Yes

CVSS 3.1 score

7.5

out of 10
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected versions

Linux kernel versions 5.10.237, 5.15.181, 6.1.135, 6.6.88, 6.12.25, 5.4.293, 6.14.4, 6.15 and later are affected. Fixed in 5.10.258, 5.15.209, 6.1.175, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc2 and their respective stable series.

Affected from
≥ 5.10.237 ≥ 5.15.181 ≥ 6.1.135 ≥ 6.6.88 ≥ 6.12.25 ≥ 5.4.293 ≥ 6.14.4 ≥ 6.15
Fixed in
✓ 5.10.258 5.10.x ✓ 5.15.209 5.15.x ✓ 6.1.175 6.1.x ✓ 6.6.140 6.6.x ✓ 6.12.88 6.12.x ✓ 6.18.30 6.18.x ✓ 7.0.7 7.0.x ✓ 7.1-rc2

References

The following references provide additional information about CVE-2026-46124 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

8 patch commits total View all on NVD

Frequently asked questions

  • What is CVE-2026-46124?

    CVE-2026-46124 is a High severity Linux kernel vulnerability with a CVSS score of 7.5 out of 10 . It affects Linux kernel versions from 5.10.237 onward and has been patched in 5.10.258, 5.15.209, 6.1.175 and others. CVE-2026-46124 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

  • What is the CVSS score for CVE-2026-46124?

    CVE-2026-46124 has a CVSS score of 7.5 out of 10, rated High severity (CVSS 3.1). The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N .

  • Is there a patch available for CVE-2026-46124?

    Yes — CVE-2026-46124 has been patched. Fixed versions include 5.10.258, 5.15.209, 6.1.175 and others. If you are running Linux kernel 5.10.237 or later up to the fix versions, apply the relevant patch for your kernel branch.

  • Is CVE-2026-46124 actively exploited?

    No — CVE-2026-46124 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Back to
All CVEs
View on
NVD / NIST