Vulnerability-Lookup

FKIE_CVE-2026-45991

Vulnerability from fkie_nvd - Published: 2026-05-27 14:17 - Updated: 2026-05-27 14:48

Severity

Summary

In the Linux kernel, the following vulnerability has been resolved: udf: fix partition descriptor append bookkeeping Mounting a crafted UDF image with repeated partition descriptors can trigger a heap out-of-bounds write in part_descs_loc[]. handle_partition_descriptor() deduplicates entries by partition number, but appended slots never record partnum. As a result duplicate Partition Descriptors are appended repeatedly and num_part_descs keeps growing. Once the table is full, the growth path still sizes the allocation from partnum even though inserts are indexed by num_part_descs. If partnum is already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep the old capacity and the next append writes past the end of the table. Store partnum in the appended slot and size growth from the next append count so deduplication and capacity tracking follow the same model.

References

	URL	Tags
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/058b451b1039f056d1362c4fec2229e522366ab0
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/08841b06fa64d8edbd1a21ca6e613420c90cc4b8
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/08fa5d818e5bf53c7ca234d88ba334f32004e9b6
	416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/b5597bb83fc37b5b5da74a4453fa920b932cf39a

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: fix partition descriptor append bookkeeping\n\nMounting a crafted UDF image with repeated partition descriptors can\ntrigger a heap out-of-bounds write in part_descs_loc[].\n\nhandle_partition_descriptor() deduplicates entries by partition number,\nbut appended slots never record partnum. As a result duplicate\nPartition Descriptors are appended repeatedly and num_part_descs keeps\ngrowing.\n\nOnce the table is full, the growth path still sizes the allocation from\npartnum even though inserts are indexed by num_part_descs. If partnum is\nalready aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep\nthe old capacity and the next append writes past the end of the table.\n\nStore partnum in the appended slot and size growth from the next append\ncount so deduplication and capacity tracking follow the same model."
    }
  ],
  "id": "CVE-2026-45991",
  "lastModified": "2026-05-27T14:48:03.013",
  "metrics": {},
  "published": "2026-05-27T14:17:16.643",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/058b451b1039f056d1362c4fec2229e522366ab0"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/08841b06fa64d8edbd1a21ca6e613420c90cc4b8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/08fa5d818e5bf53c7ca234d88ba334f32004e9b6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/b5597bb83fc37b5b5da74a4453fa920b932cf39a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}

CVE-2026-45991 (GCVE-0-2026-45991)

Vulnerability from cvelistv5 – Published: 2026-05-27 12:55 – Updated: 2026-05-27 12:55

Title

udf: fix partition descriptor append bookkeeping

Summary

Severity

No CVSS data available.

Assigner

Linux

References

4 references

URL	Tags
https://git.kernel.org/stable/c/058b451b1039f056d…
https://git.kernel.org/stable/c/b5597bb83fc37b5b5…
https://git.kernel.org/stable/c/08fa5d818e5bf53c7…
https://git.kernel.org/stable/c/08841b06fa64d8edb…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: ee4af50ca94f58afc3532662779b9cf80bbe27c8 , < 058b451b1039f056d1362c4fec2229e522366ab0 (git) Affected: ee4af50ca94f58afc3532662779b9cf80bbe27c8 , < b5597bb83fc37b5b5da74a4453fa920b932cf39a (git) Affected: ee4af50ca94f58afc3532662779b9cf80bbe27c8 , < 08fa5d818e5bf53c7ca234d88ba334f32004e9b6 (git) Affected: ee4af50ca94f58afc3532662779b9cf80bbe27c8 , < 08841b06fa64d8edbd1a21ca6e613420c90cc4b8 (git) Affected: 7f401f160a9c7a1ff84ba3cb9b2f636d1f5cfb6b (git) Affected: 4.18.7 , < 4.19 (semver)
Linux	Linux	Affected: 4.19 Unaffected: 0 , < 4.19 (semver) Unaffected: 6.6.140 , ≤ 6.6.* (semver) Unaffected: 6.12.88 , ≤ 6.12.* (semver) Unaffected: 7.0.4 , ≤ 7.0.* (semver) Unaffected: 7.1-rc1 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/udf/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "058b451b1039f056d1362c4fec2229e522366ab0",
              "status": "affected",
              "version": "ee4af50ca94f58afc3532662779b9cf80bbe27c8",
              "versionType": "git"
            },
            {
              "lessThan": "b5597bb83fc37b5b5da74a4453fa920b932cf39a",
              "status": "affected",
              "version": "ee4af50ca94f58afc3532662779b9cf80bbe27c8",
              "versionType": "git"
            },
            {
              "lessThan": "08fa5d818e5bf53c7ca234d88ba334f32004e9b6",
              "status": "affected",
              "version": "ee4af50ca94f58afc3532662779b9cf80bbe27c8",
              "versionType": "git"
            },
            {
              "lessThan": "08841b06fa64d8edbd1a21ca6e613420c90cc4b8",
              "status": "affected",
              "version": "ee4af50ca94f58afc3532662779b9cf80bbe27c8",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7f401f160a9c7a1ff84ba3cb9b2f636d1f5cfb6b",
              "versionType": "git"
            },
            {
              "lessThan": "4.19",
              "status": "affected",
              "version": "4.18.7",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/udf/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.140",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "7.0.*",
              "status": "unaffected",
              "version": "7.0.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.1-rc1",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.140",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.88",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0.4",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.1-rc1",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.18.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nudf: fix partition descriptor append bookkeeping\n\nMounting a crafted UDF image with repeated partition descriptors can\ntrigger a heap out-of-bounds write in part_descs_loc[].\n\nhandle_partition_descriptor() deduplicates entries by partition number,\nbut appended slots never record partnum. As a result duplicate\nPartition Descriptors are appended repeatedly and num_part_descs keeps\ngrowing.\n\nOnce the table is full, the growth path still sizes the allocation from\npartnum even though inserts are indexed by num_part_descs. If partnum is\nalready aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep\nthe old capacity and the next append writes past the end of the table.\n\nStore partnum in the appended slot and size growth from the next append\ncount so deduplication and capacity tracking follow the same model."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T12:55:43.449Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/058b451b1039f056d1362c4fec2229e522366ab0"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5597bb83fc37b5b5da74a4453fa920b932cf39a"
        },
        {
          "url": "https://git.kernel.org/stable/c/08fa5d818e5bf53c7ca234d88ba334f32004e9b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/08841b06fa64d8edbd1a21ca6e613420c90cc4b8"
        }
      ],
      "title": "udf: fix partition descriptor append bookkeeping",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-45991",
    "datePublished": "2026-05-27T12:55:43.449Z",
    "dateReserved": "2026-05-13T15:03:33.091Z",
    "dateUpdated": "2026-05-27T12:55:43.449Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2026-45991

CVE-2026-45991 (GCVE-0-2026-45991)

Tags

Sightings

Nomenclature