CVE-2026-46303 Overview
CVE-2026-46303 is a Linux kernel vulnerability in the ISO 9660 filesystem (isofs) Rock Ridge extension handler. The rock_continue() function reads rs->cont_extent from a Rock Ridge Continuation Entry (CE) record and passes it directly to sb_bread() without verifying that the block number falls within the mounted ISO 9660 volume. A crafted ISO image mounted through udisks2 desktop auto-mount or with CAP_SYS_ADMIN privileges can direct reads to out-of-range blocks or to blocks belonging to an adjacent filesystem on the same block device.
Critical Impact
Local attackers with mount capability can trigger reads of adjacent filesystem data, producing a narrow information disclosure channel through readlink() on Rock Ridge symbolic link sub-records.
Affected Products
- Linux kernel ISO 9660 filesystem (isofs) with Rock Ridge extension support
- Systems exposing optical media auto-mount via udisks2
- Linux distributions shipping kernels prior to the patched commits
Discovery Timeline
- 2026-06-08 - CVE-2026-46303 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46303
Vulnerability Analysis
The isofs driver parses Rock Ridge extensions that allow directory entries to span multiple blocks through a CE record. The CE record stores an extent block number, an offset, and a size identifying where parsing should continue. Two prior fixes hardened this path: commit e595447e177b added rejection of malformed cont_offset and cont_size, and commit f54e18f1b831 capped CE chain length at RR_MAX_CE_ENTRIES = 32 to prevent infinite loops. Neither fix validated the extent block number itself.
When an attacker supplies a crafted ISO with an out-of-volume cont_extent, sb_bread() either returns NULL for blocks past the device end through the block layer EIO path, or returns valid buffers containing data from an adjacent partition. The CE buffer is parsed as Rock Ridge records, and the text of SL (symbolic link) sub-records propagates to userspace via readlink().
Root Cause
The root cause is missing input validation [CWE-20] on attacker-controlled filesystem metadata. The cont_extent field is read verbatim from disk and used as a block index without a bounds check against ISOFS_SB(sb)->s_nzones, the count of zones in the mounted volume.
Attack Vector
An attacker crafts an ISO 9660 image containing a Rock Ridge CE record where cont_extent points outside the volume or into an adjacent filesystem. Mounting occurs either through automatic desktop optical media handling via udisks2 or by a user holding CAP_SYS_ADMIN. A subsequent directory traversal or readlink() call against a constructed symbolic link entry triggers the unchecked block read and may return adjacent-filesystem bytes to userspace. No memory-safety violation occurs because sb_bread() handles out-of-range reads cleanly.
No public exploit code is available. See the kernel commit references for technical patch details.
Detection Methods for CVE-2026-46303
Indicators of Compromise
- Kernel log entries containing the isofs "corrupted directory entry" notice originating from rock_continue().
- Mount events from udisks2 referencing removable optical media or loopback-mounted ISO files immediately followed by readlink() activity.
- Unexpected sb_bread() EIO failures correlated with ISO 9660 mounts in dmesg.
Detection Strategies
- Audit kernel ring buffer messages for repeated Rock Ridge CE rejection notices from systems that handle untrusted ISO images.
- Correlate mount syscalls with iso9660 filesystem type and subsequent file read activity to flag anomalous local mount-then-read sequences.
- Track use of CAP_SYS_ADMIN mount operations and udisks2 D-Bus activity on endpoints that should not process external media.
Monitoring Recommendations
- Forward auditd logs covering mount, umount, and readlink syscalls to a centralized analytics platform for correlation.
- Alert on ISO 9660 mounts originating from user-writable directories such as /tmp or user home paths.
- Monitor kernel version inventory to identify hosts still running unpatched isofs code.
How to Mitigate CVE-2026-46303
Immediate Actions Required
- Apply the upstream kernel patches that add the ISOFS_SB(sb)->s_nzones bounds check to rock_continue().
- Disable automatic optical and ISO mounting via udisks2 on systems that do not require it.
- Restrict CAP_SYS_ADMIN and limit which users can mount filesystems.
Patch Information
The fix adds bounds validation of cont_extent against the volume zone count next to the existing cont_offset and cont_size rejection. Patched commits are available across stable branches: 22b36fa, 8356fb8, a36d990, bf1bc67, c9b37c8, d582e12, e69da8e, and ef04847.
Workarounds
- Blacklist the isofs kernel module on servers that never mount ISO 9660 media.
- Stop and mask the udisks2 service on hardened endpoints to block desktop auto-mount paths.
- Apply Polkit rules that deny non-administrative users from mounting removable filesystems.
# Disable udisks2 auto-mount and blacklist isofs where not required
sudo systemctl stop udisks2.service
sudo systemctl mask udisks2.service
echo 'blacklist isofs' | sudo tee /etc/modprobe.d/disable-isofs.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
