CVE-2026-23388
Published: 25 March 2026
Summary
CVE-2026-23388 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation of the Squashfs offset validation flaw via kernel patches directly prevents exploitation of the out-of-bounds read vulnerability.
Validates metadata block offsets from Squashfs index tables to block negative or out-of-range values before they reach data copying operations.
Kernel memory protection mechanisms like KASLR and supervisor-mode protections mitigate information disclosure and crashes from out-of-bounds reads in Squashfs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability description directly maps to local exploitation of a kernel filesystem parser via a malicious Squashfs image, resulting in out-of-bounds read that produces a general protection fault (kernel crash/DoS).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: Squashfs: check metadata block offset is within range Syzkaller reports a "general protection fault in squashfs_copy_data" This is ultimately caused by a corrupted index look-up table, which produces a negative…
more
metadata block offset. This is subsequently passed to squashfs_copy_data (via squashfs_read_metadata) where the negative offset causes an out of bounds access. The fix is to check that the offset is within range in squashfs_read_metadata. This will trap this and other cases.
Deeper analysisAI
CVE-2026-23388 is a vulnerability in the Linux kernel's Squashfs filesystem implementation. It arises from a failure to validate metadata block offsets, where a corrupted index lookup table can produce a negative offset. This offset is passed to squashfs_read_metadata and then to squashfs_copy_data, resulting in an out-of-bounds memory access and a general protection fault, as reported by the Syzkaller fuzzer. The issue is classified under CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).
A local attacker with low privileges can exploit this vulnerability by mounting a malicious Squashfs image containing a corrupted index table. Successful exploitation leads to an out-of-bounds read, potentially causing a kernel crash (denial of service via general protection fault) and disclosure of sensitive kernel memory (high confidentiality impact), though integrity is unaffected.
Mitigation is provided through kernel patches in the stable trees, as detailed in the referenced commits (e.g., 01ee0bcc2986, 0c8ab092aec3). These add a range check for the metadata block offset in squashfs_read_metadata to prevent negative or out-of-range values from proceeding to data copying operations. Security practitioners should update to kernels incorporating these fixes.
Details
- CWE(s)