CVE-2026-23238

EUVD-2026-9410

04.03.2026, 15:16

In the Linux kernel, the following vulnerability has been resolved:

romfs: check sb_set_blocksize() return value

romfs_fill_super() ignores the return value of sb_set_blocksize(), which
can fail if the requested block size is incompatible with the block
device's configuration.

This can be triggered by setting a loop device's block size larger than
PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs
filesystem on that device.

When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the
device has logical_block_size=32768, bdev_validate_blocksize() fails
because the requested size is smaller than the device's logical block
size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and
continues mounting.

The superblock's block size remains at the device's logical block size
(32768). Later, when sb_bread() attempts I/O with this oversized block
size, it triggers a kernel BUG in folio_set_bh():

    kernel BUG at fs/buffer.c:1582!
    BUG_ON(size > PAGE_SIZE);

Fix by checking the return value of sb_set_blocksize() and failing the
mount with -EINVAL if it returns 0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	2.6.12.1 ≤ 𝑥 < 5.10.251
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.201
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.164
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.127
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.74
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.13
linux	linux_kernel	2.6.12
linux	linux_kernel	2.6.12:rc2
linux	linux_kernel	2.6.12:rc3
linux	linux_kernel	2.6.12:rc4
linux	linux_kernel	2.6.12:rc5
linux	linux_kernel	6.19:rc1
linux	linux_kernel	6.19:rc2
linux	linux_kernel	6.19:rc3
linux	linux_kernel	6.19:rc4
linux	linux_kernel	6.19:rc5
linux	linux_kernel	6.19:rc6
linux	linux_kernel	6.19:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	vulnerable
bookworm (security)	6.1.164-1 fixed
bullseye	vulnerable
bullseye (security)	5.10.251-1 fixed
forky	6.19.11-1 fixed
sid	6.19.12-1 fixed
trixie	vulnerable
trixie (security)	6.12.74-2 fixed

linux-6.1

bullseye (security)

6.1.164-1~deb11u1

fixed

Common Weakness Enumeration

CWE-617 - Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

References

https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6

https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73

https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c

https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244

https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0

https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030

https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95