CVE-2026-45991

Severity CVSS v4.0:
Pending analysis
Type:
CWE-787 Out-of-bounds Write
Publication date:
27/05/2026
Last modified:
19/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udf: fix partition descriptor append bookkeeping<br /> <br /> Mounting a crafted UDF image with repeated partition descriptors can<br /> trigger a heap out-of-bounds write in part_descs_loc[].<br /> <br /> handle_partition_descriptor() deduplicates entries by partition number,<br /> but appended slots never record partnum. As a result duplicate<br /> Partition Descriptors are appended repeatedly and num_part_descs keeps<br /> growing.<br /> <br /> Once the table is full, the growth path still sizes the allocation from<br /> partnum even though inserts are indexed by num_part_descs. If partnum is<br /> already aligned to PART_DESC_ALLOC_STEP, ALIGN(partnum, step) can keep<br /> the old capacity and the next append writes past the end of the table.<br /> <br /> Store partnum in the appended slot and size growth from the next append<br /> count so deduplication and capacity tracking follow the same model.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.18.7 (including) 4.19 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 4.19.1 (including) 6.6.140 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.12.88 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 7.0.4 (excluding)
cpe:2.3:o:linux:linux_kernel:4.19:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:4.19:rc8:*:*:*:*:*:*