{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23388", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.008Z", "datePublished": "2026-03-25T10:28:06.224Z", "dateUpdated": "2026-04-18T08:58:25.502Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-18T08:58:25.502Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check metadata block offset is within range\n\nSyzkaller reports a \"general protection fault in squashfs_copy_data\"\n\nThis is ultimately caused by a corrupted index look-up table, which\nproduces a negative metadata block offset.\n\nThis is subsequently passed to squashfs_copy_data (via\nsquashfs_read_metadata) where the negative offset causes an out of bounds\naccess.\n\nThe fix is to check that the offset is within range in\nsquashfs_read_metadata. This will trap this and other cases."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/squashfs/cache.c"], "versions": [{"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "60f679f643f3f36a8571ea585e4ce5d93ef952b5", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "3f68a9457a6190814377577374da75f872e0a013", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "0c8ab092aec3ac4294940054772d30b511b16713", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "6b847d65f5b0065e02080c61fad93d57d6686383", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "01ee0bcc29864b78249308e8b35042b09bbf5fe3", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "3b9499e7d677dd4366239a292238489a804936b2", "status": "affected", "versionType": "git"}, {"version": "f400e12656ab518be107febfe2315fb1eab5a342", "lessThan": "fdb24a820a5832ec4532273282cbd4f22c291a0d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/squashfs/cache.c"], "versions": [{"version": "2.6.29", "status": "affected"}, {"version": "0", "lessThan": "2.6.29", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.29", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/60f679f643f3f36a8571ea585e4ce5d93ef952b5"}, {"url": "https://git.kernel.org/stable/c/3f68a9457a6190814377577374da75f872e0a013"}, {"url": "https://git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713"}, {"url": "https://git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383"}, {"url": "https://git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c"}, {"url": "https://git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3"}, {"url": "https://git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2"}, {"url": "https://git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0d"}], "title": "Squashfs: check metadata block offset is within range", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4949E9B-FE71-4F60-A00E-27E325AA7589", "versionEndExcluding": "5.10.253", "versionStartIncluding": "2.6.29.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC6BAF-B710-4E26-B6AA-D68922EE7B43", "versionEndExcluding": "6.1.167", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C57BB918-DF28-46B3-94F7-144176841267", "versionEndExcluding": "6.6.130", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D12E00-E42D-4056-B354-BAD4903C03A5", "versionEndExcluding": "6.12.77", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5E006E4-59C7-43C1-9231-62A72219F2BA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:2.6.29:-:*:*:*:*:*:*", "matchCriteriaId": "EE6EED15-2E34-47D9-8619-78B03F2E294F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check metadata block offset is within range\n\nSyzkaller reports a \"general protection fault in squashfs_copy_data\"\n\nThis is ultimately caused by a corrupted index look-up table, which\nproduces a negative metadata block offset.\n\nThis is subsequently passed to squashfs_copy_data (via\nsquashfs_read_metadata) where the negative offset causes an out of bounds\naccess.\n\nThe fix is to check that the offset is within range in\nsquashfs_read_metadata. This will trap this and other cases."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nSquashfs: comprobar que el desplazamiento del bloque de metadatos est\u00e1 dentro del rango\n\nSyzkaller informa de un 'fallo de protecci\u00f3n general en squashfs_copy_data'\n\nEsto es causado en \u00faltima instancia por una tabla de b\u00fasqueda de \u00edndices corrupta, que produce un desplazamiento de bloque de metadatos negativo.\n\nEsto se pasa posteriormente a squashfs_copy_data (a trav\u00e9s de squashfs_read_metadata) donde el desplazamiento negativo causa un acceso fuera de l\u00edmites.\n\nLa soluci\u00f3n es comprobar que el desplazamiento est\u00e1 dentro del rango en squashfs_read_metadata. Esto atrapar\u00e1 este y otros casos."}], "id": "CVE-2026-23388", "lastModified": "2026-04-24T18:45:22.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T11:16:39.280", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/01ee0bcc29864b78249308e8b35042b09bbf5fe3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/0c8ab092aec3ac4294940054772d30b511b16713"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3b9499e7d677dd4366239a292238489a804936b2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3f68a9457a6190814377577374da75f872e0a013"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/60f679f643f3f36a8571ea585e4ce5d93ef952b5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6b847d65f5b0065e02080c61fad93d57d6686383"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fdb24a820a5832ec4532273282cbd4f22c291a0d"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: Squashfs: check metadata block offset is within range", "id": "2451212", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451212"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-1285", "details": ["A flaw was found in the Linux kernel's Squashfs component. A local attacker could craft a malicious Squashfs image with a corrupted index look-up table, leading to a negative metadata block offset. This negative offset causes an out-of-bounds access when processing the image, resulting in a general protection fault and a system crash, effectively causing a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent module squashfs from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically."}, "name": "CVE-2026-23388", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23388\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23388\nhttps://lore.kernel.org/linux-cve-announce/2026032544-CVE-2026-23388-9e71@gregkh/T"], "statement": "A kernel crash can occur in Squashfs metadata handling because a corrupted index lookup table can produce a negative metadata block offset. The negative offset is later used by squashfs_read_metadata and can lead to an out of bounds access in squashfs_copy_data which triggers a general protection fault. For the CVSS the PR:L because an attacker typically needs the ability to provide or mount a crafted Squashfs image or otherwise influence the filesystem contents.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": ["*"], "status": "affected", "versions": {"scheme": "code_commit", "value": "[f400e12656ab518be107febfe2315fb1eab5a342,0c8ab092aec3ac4294940054772d30b511b16713)"}}, {"platform": ["*"], "status": "affected", "versions": {"scheme": "code_commit", "value": "[f400e12656ab518be107febfe2315fb1eab5a342,6b847d65f5b0065e02080c61fad93d57d6686383)"}}, {"platform": ["*"], "status": "affected", "versions": {"scheme": "code_commit", "value": "[f400e12656ab518be107febfe2315fb1eab5a342,9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c)"}}, {"platform": ["*"], "status": "affected", "versions": {"scheme": "code_commit", "value": "[f400e12656ab518be107febfe2315fb1eab5a342,01ee0bcc29864b78249308e8b35042b09bbf5fe3)"}}, {"platform": ["*"], "status": "affected", "versions": {"scheme": "code_commit", "value": "[f400e12656ab518be107febfe2315fb1eab5a342,3b9499e7d677dd4366239a292238489a804936b2)"}}, {"platform": ["*"], "status": "affected", "versions": {"scheme": "code_commit", "value": "[f400e12656ab518be107febfe2315fb1eab5a342,fdb24a820a5832ec4532273282cbd4f22c291a0d)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": ["*"], "status": "affected", "versions": {"scheme": "semver", "value": "2.6.29"}}, {"platform": ["*"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,2.6.29)"}}, {"platform": ["*"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": ["*"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": ["*"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0)"}}, {"platform": ["*"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": ["*"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": ["*"], "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T09:05:43.079135+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the squashfs offset range check.", "If an update is not available immediately, unmount or disable the use of squashfs filesystems until a patch can be applied.", "Regularly review kernel release notes and vendor advisories for updates related to CVE-2026-23388."], "summary": {"action": "Immediate Patch", "impact": "Kernel crash/Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel distributions that include the standard squashfs module are affected. The exact version range is not specified, but any kernel with the unpatched squashfs code is potentially vulnerable. Devices or systems that mount or access squashfs images, such as embedded systems or container images, should examine their kernel release for the fix.", "description_and_impact": "The vulnerability exists in the Linux kernel\u2019s squashfs implementation. A corrupted index look\u2011up table can produce a negative metadata block offset that is subsequently passed to squashfs_copy_data. The negative offset results in an out\u2011of\u2011bounds memory access, triggering a general protection fault. Failure to detect this condition can cause the kernel to crash, effectively denying service to processes requiring access to a malformed squashfs filesystem.", "risk_and_exploitability": "CVSS scoring indicates a high severity (7.1). The EPSS score is below 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the KEV catalog. Exploitation would likely require an attacker to supply a crafted squashfs image with an invalid index that the kernel processes, making the attack vector local or requiring privileged mounting. Overall, the risk is moderate to high, but the impact of a kernel crash warrants timely remediation."}}}}, "created": "2026-03-25T21:31:28.143121+00:00", "updated": "2026-04-28T09:15:09.682392+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}