{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T08:55:55.690","vulnerabilities":[{"cve":{"id":"CVE-2026-23238","sourceIdentifier":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","published":"2026-03-04T15:16:14.530","lastModified":"2026-06-02T14:16:48.490","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nromfs: check sb_set_blocksize() return value\n\nromfs_fill_super() ignores the return value of sb_set_blocksize(), which\ncan fail if the requested block size is incompatible with the block\ndevice's configuration.\n\nThis can be triggered by setting a loop device's block size larger than\nPAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs\nfilesystem on that device.\n\nWhen sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the\ndevice has logical_block_size=32768, bdev_validate_blocksize() fails\nbecause the requested size is smaller than the device's logical block\nsize. sb_set_blocksize() returns 0 (failure), but romfs ignores this and\ncontinues mounting.\n\nThe superblock's block size remains at the device's logical block size\n(32768). Later, when sb_bread() attempts I/O with this oversized block\nsize, it triggers a kernel BUG in folio_set_bh():\n\n    kernel BUG at fs/buffer.c:1582!\n    BUG_ON(size > PAGE_SIZE);\n\nFix by checking the return value of sb_set_blocksize() and failing the\nmount with -EINVAL if it returns 0."},{"lang":"es","value":"En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nromfs: verificar el valor de retorno de sb_set_blocksize()\n\nromfs_fill_super() ignora el valor de retorno de sb_set_blocksize(), lo cual puede fallar si el tamaño de bloque solicitado es incompatible con la configuración del dispositivo de bloques.\n\nEsto puede ser activado al establecer el tamaño de bloque de un dispositivo de bucle mayor que PAGE_SIZE usando ioctl(LOOP_SET_BLOCK_SIZE, 32768), y luego montando un sistema de archivos romfs en ese dispositivo.\n\nCuando se llama a sb_set_blocksize(sb, ROMBSIZE) con ROMBSIZE=4096 pero el dispositivo tiene logical_block_size=32768, bdev_validate_blocksize() falla porque el tamaño solicitado es menor que el tamaño de bloque lógico del dispositivo. sb_set_blocksize() devuelve 0 (falla), pero romfs ignora esto y continúa el montaje.\n\nEl tamaño de bloque del superbloque permanece en el tamaño de bloque lógico del dispositivo (32768). Más tarde, cuando sb_bread() intenta E/S con este tamaño de bloque sobredimensionado, activa un BUG del kernel en folio_set_bh():\n\n    BUG del kernel en fs/buffer.c:1582!\n    BUG_ON(size > PAGE_SIZE);\n\nSolución al verificar el valor de retorno de sb_set_blocksize() y fallar el montaje con -EINVAL si devuelve 0."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-617"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.12.1","versionEndExcluding":"5.10.251","matchCriteriaId":"CABFF5E9-C52A-4642-9228-1D6E483DA497"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.201","matchCriteriaId":"600A89ED-86F2-48D8-BB7C-5EE7A8832FC5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.164","matchCriteriaId":"6892F74B-3F14-4500-9652-24A2ECB04144"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.127","matchCriteriaId":"4A9F36A3-A685-48A0-84B4-6217052BD058"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.74","matchCriteriaId":"C2968F55-D03F-42BE-A694-F0A37BC8CBE3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.13","matchCriteriaId":"6BDEF9FB-423E-49F6-991B-9277CC3AF400"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*","matchCriteriaId":"6F62EECE-8FB1-4D57-85D8-CB9E23CF313C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*","matchCriteriaId":"4F76C298-81DC-43E4-8FC9-DC005A2116EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*","matchCriteriaId":"0AB349B2-3F78-4197-882B-90ADB3BF645A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*","matchCriteriaId":"6AC88830-A9BC-4607-B572-A4B502FC9FD0"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*","matchCriteriaId":"476CB3A5-D022-4F13-AAEF-CB6A5785516A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*","matchCriteriaId":"CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*","matchCriteriaId":"3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*","matchCriteriaId":"F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"]},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html","source":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}}]}