HIGH Published 2026-03-25

squashfs Metadata Offset OOB

CVE-2026-23388

CVSS 7.1 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

KernelScan AI7.1HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A maliciously crafted squashfs filesystem image can cause the kernel to perform out-of-bounds memory reads, potentially leading to information disclosure or system crashes. This affects any system that processes untrusted squashfs images, such as embedded systems, container environments, or systems that allow users to mount filesystem images.

Affectedfs/squashfs/cache.c

Vulnerability analysis

Root Cause: The squashfs_read_metadata function in fs/squashfs/cache.c does not validate that the metadata block offset parameter is within valid bounds before using it. A corrupted index lookup table can produce a negative offset value, which when passed to squashfs_copy_data causes an out-of-bounds memory access and general protection fault.

Attack Surface: This vulnerability affects systems that mount and read squashfs filesystems. An attacker would need to provide a maliciously crafted squashfs image with a corrupted index lookup table. The attack is local in nature, requiring the ability to mount filesystems or provide filesystem images to the system.

Fix Mechanism: The patch adds a bounds check in squashfs_read_metadata to validate that the offset is non-negative and less than SQUASHFS_METADATA_SIZE before proceeding with the read operation. If the offset is out of bounds, the function returns -EIO to prevent the out-of-bounds access.

03Fix Versions

Branch	Fixed in	Patch commit
5.10	5.10.253	`60f679f643f3`
5.15	5.15.203	`3f68a9457a61`
6.1	6.1.167	`0c8ab092aec3`
6.12	6.12.77	`9e9fa5ad37c9`
6.18	6.18.17	`01ee0bcc2986`
6.19	6.19.7	`3b9499e7d677`
6.6	6.6.130	`6b847d65f5b0`
mainline	7.0	`fdb24a820a58`