CVE-2026-23388 PUBLISHED

Squashfs: check metadata block offset is within range

Assigner: Linux
Reserved: 13.01.2026 Published: 25.03.2026 Updated: 25.03.2026

In the Linux kernel, the following vulnerability has been resolved:

Squashfs: check metadata block offset is within range

Syzkaller reports a "general protection fault in squashfs_copy_data"

This is ultimately caused by a corrupted index look-up table, which produces a negative metadata block offset.

This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access.

The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from f400e12656ab518be107febfe2315fb1eab5a342 to 0c8ab092aec3ac4294940054772d30b511b16713 (excl.)
  • affected from f400e12656ab518be107febfe2315fb1eab5a342 to 6b847d65f5b0065e02080c61fad93d57d6686383 (excl.)
  • affected from f400e12656ab518be107febfe2315fb1eab5a342 to 9e9fa5ad37c9cbad73c165c7ff1e76e650825e7c (excl.)
  • affected from f400e12656ab518be107febfe2315fb1eab5a342 to 01ee0bcc29864b78249308e8b35042b09bbf5fe3 (excl.)
  • affected from f400e12656ab518be107febfe2315fb1eab5a342 to 3b9499e7d677dd4366239a292238489a804936b2 (excl.)
  • affected from f400e12656ab518be107febfe2315fb1eab5a342 to fdb24a820a5832ec4532273282cbd4f22c291a0d (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 2.6.29 is affected
  • unaffected from 0 to 2.6.29 (excl.)
  • unaffected from 6.1.167 to 6.1.* (incl.)
  • unaffected from 6.6.130 to 6.6.* (incl.)
  • unaffected from 6.12.77 to 6.12.* (incl.)
  • unaffected from 6.18.17 to 6.18.* (incl.)
  • unaffected from 6.19.7 to 6.19.* (incl.)
  • unaffected from 7.0-rc2 to * (incl.)

References