CVE-2026-23238 Overview
A vulnerability exists in the Linux kernel's romfs (Read-Only Memory filesystem) implementation where the romfs_fill_super() function fails to properly validate the return value of sb_set_blocksize(). This oversight can lead to a kernel BUG when mounting a romfs filesystem on a device with an incompatible block size configuration, resulting in a denial of service condition.
Critical Impact
Local attackers with mount privileges can trigger a kernel panic by mounting a romfs filesystem on a loop device configured with a block size larger than PAGE_SIZE, causing system instability and denial of service.
Affected Products
- Linux Kernel (romfs filesystem component)
- Systems using loop devices with modified block sizes
- Systems mounting romfs filesystems on block devices
Discovery Timeline
- March 4, 2026 - CVE CVE-2026-23238 published to NVD
- March 4, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23238
Vulnerability Analysis
The vulnerability resides in the romfs filesystem implementation within the Linux kernel. When mounting a romfs filesystem, the romfs_fill_super() function calls sb_set_blocksize() to configure the superblock's block size to ROMBSIZE (typically 4096 bytes). However, this function call's return value is not checked, which is problematic when the underlying block device has been configured with a logical block size larger than the requested size.
When a loop device is configured using ioctl(LOOP_SET_BLOCK_SIZE, 32768) to use a 32KB block size, subsequent calls to sb_set_blocksize(sb, ROMBSIZE) with ROMBSIZE=4096 will fail because bdev_validate_blocksize() rejects block sizes smaller than the device's logical block size. Despite this failure, romfs continues the mount operation with an incorrect block size configuration.
The consequence manifests during I/O operations when sb_bread() attempts to perform I/O using the device's oversized block size (32768 bytes). This triggers a kernel BUG in folio_set_bh() at fs/buffer.c:1582 where the condition BUG_ON(size > PAGE_SIZE) is violated.
Root Cause
The root cause is an improper input validation error in the romfs filesystem driver. The romfs_fill_super() function unconditionally proceeds with the mount operation without verifying that sb_set_blocksize() successfully configured the requested block size. This allows the superblock to retain an invalid block size configuration that exceeds the kernel's PAGE_SIZE limit, leading to undefined behavior during buffer operations.
Attack Vector
An attacker with local access and privileges to configure loop devices and mount filesystems can exploit this vulnerability. The attack involves configuring a loop device with a block size larger than PAGE_SIZE (e.g., 32768 bytes) using the LOOP_SET_BLOCK_SIZE ioctl, then attempting to mount a romfs filesystem on that device.
The vulnerability mechanism involves the following sequence: First, an attacker configures a loop device with an oversized block size using ioctl(LOOP_SET_BLOCK_SIZE, 32768). Then, when mounting a romfs filesystem on this device, romfs_fill_super() calls sb_set_blocksize() which fails silently. The mount continues with the device's original 32KB block size. Finally, during filesystem operations, sb_bread() triggers a kernel BUG when attempting I/O with a block size exceeding PAGE_SIZE. See the kernel patches for technical details.
Detection Methods for CVE-2026-23238
Indicators of Compromise
- Kernel panic or BUG messages referencing fs/buffer.c:1582 or folio_set_bh()
- System crashes during romfs mount operations
- Unusual loop device configurations with block sizes exceeding PAGE_SIZE
- Failed mount attempts followed by system instability
Detection Strategies
- Monitor kernel logs (dmesg) for BUG reports in the buffer.c subsystem
- Audit loop device configurations for non-standard block size settings using losetup -l
- Track mount operations targeting romfs filesystems, especially on loop devices
- Implement system call monitoring for LOOP_SET_BLOCK_SIZE ioctl calls with values > 4096
Monitoring Recommendations
- Configure kernel crash dump collection to capture relevant diagnostic information
- Enable audit logging for mount system calls with romfs filesystem type
- Monitor for unusual patterns of loop device creation and configuration changes
- Implement alerting on kernel BUG conditions in production environments
How to Mitigate CVE-2026-23238
Immediate Actions Required
- Apply the latest kernel patches from upstream Linux kernel maintainers
- Restrict access to loop device ioctl operations to trusted users only
- Audit current loop device configurations across affected systems
- Consider disabling romfs module if not required for operations
Patch Information
The Linux kernel maintainers have released patches across multiple stable kernel branches. The fix involves adding proper validation of the sb_set_blocksize() return value in romfs_fill_super(), causing the mount to fail with -EINVAL if block size configuration fails.
Available patches:
- Kernel Git Commit 2c5829c
- Kernel Git Commit 4b71ad7
- Kernel Git Commit 9b203b8
- Kernel Git Commit a381f0f
- Kernel Git Commit ab7ad7a
- Kernel Git Commit cbd9931
- Kernel Git Commit f2521ab
Workarounds
- Disable the romfs kernel module if not required: modprobe -r romfs
- Restrict mount capabilities using Linux Security Modules (SELinux/AppArmor)
- Limit access to loop device ioctl operations through device permissions
- Avoid configuring loop devices with block sizes larger than PAGE_SIZE (typically 4096)
# Configuration example
# Disable romfs module loading
echo "install romfs /bin/false" >> /etc/modprobe.d/disable-romfs.conf
# Remove romfs module if currently loaded
modprobe -r romfs
# Verify romfs is not loaded
lsmod | grep romfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
