CVE-2026-52992

EUVD-2026-38860
In the Linux kernel, the following vulnerability has been resolved:

fs/adfs: validate nzones in adfs_validate_bblk()

Reject ADFS disc records with a zero zone count during boot block
validation, before the disc record is used.

When nzones is 0, adfs_read_map() passes it to kmalloc_array(0, ...)
which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to
dm[-1], causing an out-of-bounds write before the allocated buffer.

adfs_validate_dr0() already rejects nzones != 1 for old-format
images.  Add the equivalent check to adfs_validate_bblk() for
new-format images so that a crafted image with nzones == 0 is
rejected at probe time.

Found by syzkaller.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
7.0.12-2
fixed
sid
7.0.13-1
fixed
trixie
vulnerable
trixie (security)
6.12.94-1
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/1586bd2d2fb436a26df20a70e78b000d34a7d159
https://git.kernel.org/stable/c/1f0ed0f57f0fc87e46fe19a05435c214dc464be2
https://git.kernel.org/stable/c/33aafd2418a59c96c0389d47ea09026661fa9ec6
https://git.kernel.org/stable/c/60d82592ac8b5637fbed871381eb0a16df0a492e
https://git.kernel.org/stable/c/6ff8cca5cdb4f2e0ea6d28ecd78479dd3f221ebc
https://git.kernel.org/stable/c/a11372a8b1ceaa5e950a84b3b5fbf8228f25e277
https://git.kernel.org/stable/c/a3fd5dc1c7b0aae947a67dc2e2c037d57557a4de
https://git.kernel.org/stable/c/dd9d3e16c2d5fa166e13dce07413be51f42c8f5d