Listen to this Post
CVE-2026-23238 is a vulnerability in the Linux kernel’s romfs filesystem due to a missing return value check. The romfs_fill_super() function calls sb_set_blocksize() to set the filesystem’s block size to 4096 bytes but ignores the return value . If a privileged user first configures a loop device with a logical block size larger than the system’s PAGE_SIZE (e.g., 32768 bytes) using the LOOP_SET_BLOCK_SIZE ioctl, the subsequent sb_set_blocksize() call will fail because the requested 4096-byte size is incompatible with the device’s 32768-byte configuration . Since the return code is ignored, the mount operation continues with the superblock’s block size incorrectly set to the device’s larger size . Later, when the kernel performs I/O operations using sb_bread() with this oversized block size (32768 > PAGE_SIZE), it triggers a kernel BUG_ON() assertion in fs/buffer.c at line 1582 within the folio_set_bh() function, leading to a system crash and denial of service . The fix, introduced by kernel developer Deepanshu Kartikey, adds a check for the sb_set_blocksize() return value and fails the mount with -EINVAL if it returns 0 .
Platform: Linux Kernel
Version: 6.18.13-1
Vulnerability : Return value check
Severity: 5.5 (Medium)
date: 2026-03-04
Prediction: March 2026
What Undercode Say:
Analytics
The vulnerability was discovered through syzkaller fuzzing and reported by syzbot . The issue affects multiple long-term support kernels, including versions in Debian bullseye (5.10.x), bookworm (6.1.x), and Ubuntu releases for Xenial (4.4), Focal (5.4), and Jammy (5.15, 6.2, 6.5, 6.8) . The fix was applied upstream in commit ab7ad7abb366 and backported to stable kernels starting from version 6.18.13-1 .
Exploit:
Create a loop device with an oversized block size (32KB > PAGE_SIZE) dd if=/dev/zero of=romfs_test.img bs=1M count=1 LOOP_DEV=$(losetup -f) sudo losetup $LOOP_DEV romfs_test.img sudo ioctl $LOOP_DEV LOOP_SET_BLOCK_SIZE 32768 Attempt to mount a romfs filesystem on the misconfigured device This will trigger the kernel BUG in unpatched kernels mount -t romfs $LOOP_DEV /mnt/romfs_test
Protection from this CVE
Apply the kernel patch or update to a fixed version
The fix adds proper error handling in fs/romfs/super.c:
a/fs/romfs/super.c
+++ b/fs/romfs/super.c
@@ -458,7 +458,10 @@ static int romfs_fill_super(struct super_block sb, struct fs_context fc)
ifdef CONFIG_BLOCK
if (!sb->s_mtd) {
- sb_set_blocksize(sb, ROMBSIZE);
+ if (!sb_set_blocksize(sb, ROMBSIZE)) {
+ errorf(fc, "romfs: unable to set blocksize\n");
+ return -EINVAL;
+ }
} else {
sb->s_blocksize = ROMBSIZE;
sb->s_blocksize_bits = blksize_bits(ROMBSIZE);
Workaround: Disable romfs module if not needed echo "install romfs /bin/false" >> /etc/modprobe.d/disable-romfs.conf modprobe -r romfs lsmod | grep romfs Audit existing loop device configurations losetup -l | grep -v "0B"
Impact
A local attacker with capabilities to configure loop devices (CAP_SYS_ADMIN) and mount filesystems can trigger a kernel BUG, causing a system crash and denial of service . The vulnerability does not lead to privilege escalation or information disclosure; it solely impacts system availability. Systems where untrusted users have access to loop device creation or mount operations are at higher risk .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

