CVE-2026-46124

In the Linux kernel, the following vulnerability has been resolved:

isofs: validate block number from NFS file handle in isofs export iget

isofs fh to dentry() and isofs fh to parent() pass an attacker- controlled block number (ifid->block or ifid->parent block) from the NFS file handle to isofs export iget(), which only rejects block == 0 before calling isofs iget() and ultimately sb bread(). A crafted file handle with fh len sufficient to pass the check added by commit 0405d4b63d08 ("isofs: Prevent the use of too small fid") can still drive the server to read any in-range block on the backing device as if it were an iso directory record. That earlier fix was assigned CVE-2025-37780.

sb bread() on an out-of-range block returns NULL cleanly via the EIO path, so there is no memory-safety violation. For in-range reads of adjacent-partition data on the same block device, the unrelated bytes end up in iso inode info fields that reach the NFS client as dentry metadata. The deployment surface (isofs exported over NFS from loop-mounted images) is narrow and requires an authenticated NFS peer, but the malformed-file-handle class is reportable as hardening next to the existing CVE-2025-37780 fix.

Reject block >= ISOFS SB(sb)->s nzones in isofs export iget() so the check covers both isofs fh to dentry() and isofs fh to parent() call sites with a single line.