{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23388", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.008Z", "datePublished": "2026-03-25T10:28:06.224Z", "dateUpdated": "2026-03-25T10:28:06.224Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:28:06.224Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check metadata block offset is within range\n\nSyzkaller reports a \"general protection fault in squashfs_copy_data\"\n\nThis is ultimately caused by a corrupted index look-up table, which\nproduces a negative metadata block offset.\n\nThis is subsequently passed to squashfs_copy_data (via\nsquashfs_read_metadata) where the negative offset causes an out of bounds\naccess.\n\nThe fix is to check that the offset is within range in\nsquashfs_read_metadata. This will trap this and other cases."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/squashfs/cache.c"], "versions": [{"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "0c8ab092aec3ac4294940054772d30b511b16713", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "6b847d65f5b0065e02080c61fad93d57d6686383", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "01ee0bcc29864b78249308e8b35042b09bbf5fe3", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "3b9499e7d677dd4366239a292238489a804936b2", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "fdb24a820a5832ec4532273282cbd4f22c291a0d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/squashfs/cache.c"], "versions": [{"version": "2.6.29", "status": "affected"}, {"version": "0", "lessThan": "2.6.29", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713"}, {"url": "https://git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383"}, {"url": "https://git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c"}, {"url": "https://git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3"}, {"url": "https://git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2"}, {"url": "https://git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0d"}], "title": "Squashfs: check metadata block offset is within range", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check metadata block offset is within range\n\nSyzkaller reports a \"general protection fault in squashfs_copy_data\"\n\nThis is ultimately caused by a corrupted index look-up table, which\nproduces a negative metadata block offset.\n\nThis is subsequently passed to squashfs_copy_data (via\nsquashfs_read_metadata) where the negative offset causes an out of bounds\naccess.\n\nThe fix is to check that the offset is within range in\nsquashfs_read_metadata. This will trap this and other cases."}], "id": "CVE-2026-23388", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:39.280", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: Squashfs: check metadata block offset is within range", "id": "2451212", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451212"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-1285", "details": ["A flaw was found in the Linux kernel's Squashfs component. A local attacker could craft a malicious Squashfs image with a corrupted index look-up table, leading to a negative metadata block offset. This negative offset causes an out-of-bounds access when processing the image, resulting in a general protection fault and a system crash, effectively causing a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module squashfs from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2026-23388", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23388\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23388\nhttps://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23388-9e71@gregkh/T"], "statement": "A kernel crash can occur in Squashfs metadata handling because a corrupted index lookup table can produce a negative metadata block offset. The negative offset is later used by squashfs_read_metadata and can lead to an out of bounds access in squashfs_copy_data which triggers a general protection fault. For the CVSS the PR:L because an attacker typically needs the ability to provide or mount a crafted Squashfs image or otherwise influence the filesystem contents.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T11:51:48.201931+00:00", "value": {"mitigation_remediation": ["Check the current kernel version and compare it with the upstream patch that implements the offset range check.", "Apply the kernel update that incorporates the squashfs_copy_data fix as soon as possible.", "If an update is not yet available, avoid mounting or processing SquashFS images from untrusted sources.", "Monitor system logs for general protection fault messages that may indicate exploitation attempts.", "Keep the system kernel and filesystem utilities updated to the latest stable releases to reduce exposure to similar bugs."], "summary": {"action": "Apply patch", "impact": "Out-of-bounds memory access in kernel, causing possible denial of service or privilege escalation"}, "threat_synthesis": {"affected_systems": "The affected products are Linux kernel implementations that support SquashFS. No specific kernel release range is listed in the data, so all kernel versions that include the vulnerable SquashFS data handling routines may be affected. Systems that use untrusted SquashFS images are at risk.", "description_and_impact": "The vulnerability arises from a corrupted index look\u2011up table in the SquashFS filesystem, which generates a negative metadata block offset. This offset is passed to squashfs_copy_data via squashfs_read_metadata, resulting in an out\u2011of\u2011bounds memory access and a general protection fault. The flaw represents a kernel\u2011level memory corruption issue that can lead to denial of service or, depending on the context, arbitrary code execution. It corresponds to the CWE\u2011788 weakness of accessing a memory location outside the bounds of an object.", "risk_and_exploitability": "The CVSS score is not provided, and EPSS information is unavailable, making precise risk quantification difficult. However, because the flaw occurs in kernel code, exploitation requires the ability to supply a malicious SquashFS image to the kernel. This could be achieved locally by an attacker with file\u2011system access, or remotely if SquashFS images are processed in an exposed context. The absence of KEV listing does not preclude the risk, as the vulnerability could be exploited by attackers who discover or create malicious SquashFS files."}}}}, "created": "2026-03-25T21:31:28.143121+00:00", "updated": "2026-03-25T21:31:28.143184+00:00", "vendors": [], "weaknesses": ["CWE-788"]}