FKIE_CVE-2026-23238

Vulnerability from fkie_nvd - Published: 2026-03-04 15:16 - Updated: 2026-03-04 18:08
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: romfs: check sb_set_blocksize() return value romfs_fill_super() ignores the return value of sb_set_blocksize(), which can fail if the requested block size is incompatible with the block device's configuration. This can be triggered by setting a loop device's block size larger than PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs filesystem on that device. When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical_block_size=32768, bdev_validate_blocksize() fails because the requested size is smaller than the device's logical block size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and continues mounting. The superblock's block size remains at the device's logical block size (32768). Later, when sb_bread() attempts I/O with this oversized block size, it triggers a kernel BUG in folio_set_bh(): kernel BUG at fs/buffer.c:1582! BUG_ON(size > PAGE_SIZE); Fix by checking the return value of sb_set_blocksize() and failing the mount with -EINVAL if it returns 0.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nromfs: check sb_set_blocksize() return value\n\nromfs_fill_super() ignores the return value of sb_set_blocksize(), which\ncan fail if the requested block size is incompatible with the block\ndevice\u0027s configuration.\n\nThis can be triggered by setting a loop device\u0027s block size larger than\nPAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs\nfilesystem on that device.\n\nWhen sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the\ndevice has logical_block_size=32768, bdev_validate_blocksize() fails\nbecause the requested size is smaller than the device\u0027s logical block\nsize. sb_set_blocksize() returns 0 (failure), but romfs ignores this and\ncontinues mounting.\n\nThe superblock\u0027s block size remains at the device\u0027s logical block size\n(32768). Later, when sb_bread() attempts I/O with this oversized block\nsize, it triggers a kernel BUG in folio_set_bh():\n\n    kernel BUG at fs/buffer.c:1582!\n    BUG_ON(size \u003e PAGE_SIZE);\n\nFix by checking the return value of sb_set_blocksize() and failing the\nmount with -EINVAL if it returns 0."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nromfs: verificar el valor de retorno de sb_set_blocksize()\n\nromfs_fill_super() ignora el valor de retorno de sb_set_blocksize(), lo cual puede fallar si el tama\u00f1o de bloque solicitado es incompatible con la configuraci\u00f3n del dispositivo de bloques.\n\nEsto puede ser activado al establecer el tama\u00f1o de bloque de un dispositivo de bucle mayor que PAGE_SIZE usando ioctl(LOOP_SET_BLOCK_SIZE, 32768), y luego montando un sistema de archivos romfs en ese dispositivo.\n\nCuando se llama a sb_set_blocksize(sb, ROMBSIZE) con ROMBSIZE=4096 pero el dispositivo tiene logical_block_size=32768, bdev_validate_blocksize() falla porque el tama\u00f1o solicitado es menor que el tama\u00f1o de bloque l\u00f3gico del dispositivo. sb_set_blocksize() devuelve 0 (falla), pero romfs ignora esto y contin\u00faa el montaje.\n\nEl tama\u00f1o de bloque del superbloque permanece en el tama\u00f1o de bloque l\u00f3gico del dispositivo (32768). M\u00e1s tarde, cuando sb_bread() intenta E/S con este tama\u00f1o de bloque sobredimensionado, activa un BUG del kernel en folio_set_bh():\n\n    BUG del kernel en fs/buffer.c:1582!\n    BUG_ON(size \u0026gt; PAGE_SIZE);\n\nSoluci\u00f3n al verificar el valor de retorno de sb_set_blocksize() y fallar el montaje con -EINVAL si devuelve 0."
    }
  ],
  "id": "CVE-2026-23238",
  "lastModified": "2026-03-04T18:08:05.730",
  "metrics": {},
  "published": "2026-03-04T15:16:14.530",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.