CVE-2026-23238

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel has an issue where romfs fill super() does not check the return value of sb set blocksize(). This can lead to a kernel BUG in folio set bh() if a loop device's block size is set larger than PAGE SIZE using ioctl(LOOP SET BLOCK SIZE, 32768) and a romfs filesystem is mounted on that device. Specifically, if sb set blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the device has logical block size=32768, bdev validate blocksize() fails, sb set blocksize() returns 0, but the mount process continues, resulting in an oversized block size being used during I/O operations. The vulnerable function is romfs fill super(). The issue is triggered when the requested block size is incompatible with the block device's configuration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.