{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "f54e18f1b831c92f6512d2eedb224cd63d607d3d"
            },
            {
              "fixed": "8356fb821016797f5677cbeee5ddc0d32a95b4be"
            },
            {
              "fixed": "d582e12378bc1637f337622feef762f53c43fd57"
            },
            {
              "fixed": "bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9"
            },
            {
              "fixed": "c9b37c8b73f6368e4750e5ccb0632c380b43c6e5"
            },
            {
              "fixed": "22b36fa081f38ab397c7697f9d539211b51a0cfc"
            },
            {
              "fixed": "e69da8eeab74b4f4505024c38a17bce060fe7df8"
            },
            {
              "fixed": "ef048470c90bc8c1b8318bb2ce329da9ef64b9fe"
            },
            {
              "fixed": "a36d990f591320e9dd379ab30063ebfe91d47e1f"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "08313e26e06d4aa9ce1cbba1a8e359e9cab9ad56"
            },
            {
              "last_affected": "212c4d33ca83e2144064fe9c2911607fbed5386f"
            },
            {
              "last_affected": "96e44adce250199ec9b2b928be66365779ff1b59"
            },
            {
              "last_affected": "1fe5620fcd6c2f0a4a927ee10c8e53196da392f3"
            },
            {
              "last_affected": "fbce0d7dc8965c9fb8d411862040239d4a768c71"
            },
            {
              "last_affected": "8190393a88f2b0321263a54f2a9eb5a2aa43be7e"
            },
            {
              "last_affected": "486aa789eadcf44ed87f972b209299c516454693"
            },
            {
              "last_affected": "b6d20edb6e7cedb4eedb9e0193d20dd488ebae84"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "2.6.32.66"
            },
            {
              "fixed": "2.6.33"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.2.67"
            },
            {
              "fixed": "3.3"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.4.107"
            },
            {
              "fixed": "3.5"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.10.64"
            },
            {
              "fixed": "3.11"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.12.36"
            },
            {
              "fixed": "3.13"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.14.28"
            },
            {
              "fixed": "3.15"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.17.8"
            },
            {
              "fixed": "3.18"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "3.18.2"
            },
            {
              "fixed": "3.19"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.19.0"
            },
            {
              "fixed": "5.10.258"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.209"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.140"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.88"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.30"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46303.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: validate Rock Ridge CE continuation extent against volume size\n\nrock_continue() reads rs-\u003econt_extent verbatim from the Rock Ridge CE\nrecord and passes it to sb_bread() without checking that the block\nnumber is within the mounted ISO 9660 volume.  commit e595447e177b\n(\"[PATCH] rock.c: handle corrupted directories\") added cont_offset\nand cont_size rejection for the CE continuation but did not validate\nthe extent block number itself.  commit f54e18f1b831 (\"isofs: Fix\ninfinite looping over CE entries\") later capped the CE chain length\nat RR_MAX_CE_ENTRIES = 32 but again left the block number unchecked.\n\nWith a crafted ISO mounted via udisks2 (desktop optical auto-mount)\nor via CAP_SYS_ADMIN mount, rs-\u003econt_extent can therefore point at\nan out-of-range block or at blocks belonging to an adjacent\nfilesystem on the same block device.  sb_bread() on an out-of-range\nblock returns NULL cleanly via the block layer EIO path, so there\nis no memory-safety violation.  For in-range reads of adjacent-\nfilesystem data, the CE buffer is parsed as Rock Ridge records and\nonly the text of SL sub-records reaches userspace through\nreadlink(), which makes the info-leak channel narrow and difficult\nto exploit; still, rejecting the malformed CE outright matches the\nrejection shape already present in the same function for\ncont_offset and cont_size.\n\nAdd an ISOFS_SB(sb)-\u003es_nzones bounds check to rock_continue() next\nto the existing offset/size rejection, printing the same\ncorrupted-directory-entry notice.",
  "id": "CVE-2026-46303",
  "modified": "2026-07-09T03:52:29.967161152Z",
  "published": "2026-06-08T15:46:30.642Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/22b36fa081f38ab397c7697f9d539211b51a0cfc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8356fb821016797f5677cbeee5ddc0d32a95b4be"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a36d990f591320e9dd379ab30063ebfe91d47e1f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bf1bc673c587f5ef7e9c09b94aea7c5a7847d4d9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c9b37c8b73f6368e4750e5ccb0632c380b43c6e5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d582e12378bc1637f337622feef762f53c43fd57"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e69da8eeab74b4f4505024c38a17bce060fe7df8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ef048470c90bc8c1b8318bb2ce329da9ef64b9fe"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46303.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46303"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "isofs: validate Rock Ridge CE continuation extent against volume size"
}