CVE-2026-46303

HIGHPre-NVD 8.28.2
EchelonGraph scoreHIGH confidence

Score 8.2 from GitHub Security Advisory (severity: HIGH) published 2026-06-08. the CNA's CVSS baseline 8.2; sources differ by 0.0.

Triggered by: GitHub Security Advisory CVSS
Sources: cna:linux, epss, ghsa
8.2
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.2Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

In the Linux kernel, the following vulnerability has been resolved:

isofs: validate Rock Ridge CE continuation extent against volume size

rock_continue() reads rs->cont_extent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the mounted ISO 9660 volume. commit e595447e177b ("[PATCH] rock.c: handle corrupted directories") added cont_offset and cont_size rejection for the CE continuation but did not validate the extent block number itself. commit f54e18f1b831 ("isofs: Fix infinite looping over CE entries") later capped the CE chain length at RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.

With a crafted ISO mounted via udisks2 (desktop optical auto-mount) or via CAP_SYS_ADMIN mount, rs->cont_extent can therefore point at an out-of-range block or at blocks belonging to an adjacent filesystem on the same block device. sb_bread() on an out-of-range block returns NULL cleanly via the block layer EIO path, so there is no memory-safety violation. For in-range reads of adjacent- filesystem data, the CE buffer is parsed as Rock Ridge records and only the text of SL sub-records reaches userspace through readlink(), which makes the info-leak channel narrow and difficult to exploit; still, rejecting the malformed CE outright matches the rejection shape already present in the same function for cont_offset and cont_size.

Add an ISOFS_SB(sb)->s_nzones bounds check to rock_continue() next to the existing offset/size rejection, printing the same corrupted-directory-entry notice.

CVSS v3
8.2
EG Score
8.2(high)
EPSS
19.7%
KEV
Not listed

Published

June 8, 2026

Last Modified

June 14, 2026

Advisory Details (8)

Auto-updated Jun 14, 2026
No patch confirmed yet.
generic

isofs: validate Rock Ridge CE continuation extent against volume size - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/ef048470c90bc8c1b8318bb2ce329da9ef64b9fe
generic

isofs: validate Rock Ridge CE continuation extent against volume size - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/e69da8eeab74b4f4505024c38a17bce060fe7df8
generic

isofs: validate Rock Ridge CE continuation extent against volume size - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/d582e12378bc1637f337622feef762f53c43fd57
generic

isofs: validate Rock Ridge CE continuation extent against volume size - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5
generic

isofs: validate Rock Ridge CE continuation extent against volume size - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9
generic

isofs: validate Rock Ridge CE continuation extent against volume size - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/a36d990f591320e9dd379ab30063ebfe91d47e1f
generic

isofs: validate Rock Ridge CE continuation extent against volume size - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4be
generic

isofs: validate Rock Ridge CE continuation extent against volume size - kernel/git/stable/linux.git - Linux kernel stable tree

https://git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfc

Vendor Advisories for CVE-2026-46303(2)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Frequently asked(5)

What is CVE-2026-46303?
CVE-2026-46303 is a high vulnerability published on June 8, 2026. In the Linux kernel, the following vulnerability has been resolved: isofs: validate Rock Ridge CE continuation extent against volume size rockcontinue() reads rs->contextent verbatim from the Rock Ridge CE record and passes it to sb_bread() without checking that the block number is within the…
When was CVE-2026-46303 disclosed?
CVE-2026-46303 was first published in the National Vulnerability Database on June 8, 2026, with the most recent update on June 14, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-46303 actively exploited?
CVE-2026-46303 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 19.7% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-46303?
CVE-2026-46303 has a CVSS v4.0 base score of 8.2 (CNA self-assessment; NVD's own analysis pending).
How do I remediate CVE-2026-46303?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-46303, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-46303

Explore →

Is Your Infrastructure Affected by CVE-2026-46303?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.