CVE-2026-53320 - Vulnerability Details

- nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()

Description

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()

nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks
by comparing it with the current block number bd_blocknr. If they differ,
the block is considered dead and skipped.

However, bd_oblocknr should never be 0 since block 0 typically stores the
primary superblock and is never a valid GC target block. A corrupted ioctl
request with bd_oblocknr set to 0 causes the comparison to incorrectly
match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing
the dead block check and calling nilfs_bmap_mark() on a non-existent
block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering
the WARN_ON(ret == -ENOENT).

Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the
beginning of each iteration.

[ryusuke: slightly modified the commit message and comments for accuracy]

Published: 2026-06-26

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7942b919f7321f95a777d396ff7894a7a83dc9b0`	affected	< e0a0c4903cbba351f0f5b5d104960d3a5b23202f
`7942b919f7321f95a777d396ff7894a7a83dc9b0`	affected	< 9472d37799a0b9ff9b99639f35961ac2f0b3c9be
`7942b919f7321f95a777d396ff7894a7a83dc9b0`	affected	< 65e07964b4b2daf9a54e686cf0fa72d74a9648a8
`7942b919f7321f95a777d396ff7894a7a83dc9b0`	affected	< b88f905d4449b70da6bda547be546e365e44352e
`7942b919f7321f95a777d396ff7894a7a83dc9b0`	affected	< 4525658002be3ad310b16bf8db48c8adb6a55d32
`7942b919f7321f95a777d396ff7894a7a83dc9b0`	affected	< e5ff0ba4b6983cdbcc826efc201e7179ece5d46f
`7942b919f7321f95a777d396ff7894a7a83dc9b0`	affected	< 94094e70fe292c9566502772d4d4d6d6a99204b1
`7942b919f7321f95a777d396ff7894a7a83dc9b0`	affected	< be3e5d10643d3be1cbac9d9939f220a99253f980

Linux

affected

Version	Status	Constraints
`2.6.30`	affected	—
`0`	unaffected	< 2.6.30
`5.10.258`	unaffected	≤ 5.10.*
`5.15.209`	unaffected	≤ 5.15.*
`6.1.175`	unaffected	≤ 6.1.*
`6.6.141`	unaffected	≤ 6.6.*
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[7942b919f7321f95a777d396ff7894a7a83dc9b0,e0a0c4903cbba351f0f5b5d104960d3a5b23202f)`	affected	code_commit	—
`[7942b919f7321f95a777d396ff7894a7a83dc9b0,9472d37799a0b9ff9b99639f35961ac2f0b3c9be)`	affected	code_commit	—
`[7942b919f7321f95a777d396ff7894a7a83dc9b0,65e07964b4b2daf9a54e686cf0fa72d74a9648a8)`	affected	code_commit	—
`[7942b919f7321f95a777d396ff7894a7a83dc9b0,b88f905d4449b70da6bda547be546e365e44352e)`	affected	code_commit	—
`[7942b919f7321f95a777d396ff7894a7a83dc9b0,4525658002be3ad310b16bf8db48c8adb6a55d32)`	affected	code_commit	—
`[7942b919f7321f95a777d396ff7894a7a83dc9b0,e5ff0ba4b6983cdbcc826efc201e7179ece5d46f)`	affected	code_commit	—
`[7942b919f7321f95a777d396ff7894a7a83dc9b0,94094e70fe292c9566502772d4d4d6d6a99204b1)`	affected	code_commit	—
`[7942b919f7321f95a777d396ff7894a7a83dc9b0,be3e5d10643d3be1cbac9d9939f220a99253f980)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.30`	affected	semver	—
`[0,2.6.30)`	unaffected	semver	—
`[5.10.258,5.11.0)`	unaffected	semver	—
`[5.15.209,5.16.0)`	unaffected	semver	—
`[6.1.175,6.2.0)`	unaffected	semver	—
`[6.6.141,6.7.0)`	unaffected	semver	—
`[6.12.91,6.13.0)`	unaffected	semver	—
`[6.18.33,6.19.0)`	unaffected	semver	—
`[7.0.10,7.1.0)`	unaffected	semver	—
`[7.1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00173.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4525658002be3ad310b16bf8db48c8adb6a55d32
https://git.kernel.org/stable/c/65e07964b4b2daf9a54e686cf0fa72d74a9648a8
https://git.kernel.org/stable/c/94094e70fe292c9566502772d4d4d6d6a99204b1
https://git.kernel.org/stable/c/9472d37799a0b9ff9b99639f35961ac2f0b3c9be
https://git.kernel.org/stable/c/b88f905d4449b70da6bda547be546e365e44352e
https://git.kernel.org/stable/c/be3e5d10643d3be1cbac9d9939f220a99253f980
https://git.kernel.org/stable/c/e0a0c4903cbba351f0f5b5d104960d3a5b23202f
https://git.kernel.org/stable/c/e5ff0ba4b6983cdbcc826efc201e7179ece5d46f

History

Fri, 26 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-20

Fri, 26 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty() nilfs_ioctl_mark_blocks_dirty() uses bd_oblocknr to detect dead blocks by comparing it with the current block number bd_blocknr. If they differ, the block is considered dead and skipped. However, bd_oblocknr should never be 0 since block 0 typically stores the primary superblock and is never a valid GC target block. A corrupted ioctl request with bd_oblocknr set to 0 causes the comparison to incorrectly match when the lookup returns -ENOENT and sets bd_blocknr to 0, bypassing the dead block check and calling nilfs_bmap_mark() on a non-existent block. This causes nilfs_btree_do_lookup() to return -ENOENT, triggering the WARN_ON(ret == -ENOENT). Fix this by rejecting ioctl requests with bd_oblocknr set to 0 at the beginning of each iteration. [ryusuke: slightly modified the commit message and comments for accuracy]
Title		nilfs2: reject zero bd_oblocknr in nilfs_ioctl_mark_blocks_dirty()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4525658002be3ad310b16bf8db48c8adb6a55d32 https://git.kernel.org/stable/c/65e07964b4b2daf9a54e686cf0fa72d74a9648a8 https://git.kernel.org/stable/c/94094e70fe292c9566502772d4d4d6d6a99204b1 https://git.kernel.org/stable/c/9472d37799a0b9ff9b99639f35961ac2f0b3c9be https://git.kernel.org/stable/c/b88f905d4449b70da6bda547be546e365e44352e https://git.kernel.org/stable/c/be3e5d10643d3be1cbac9d9939f220a99253f980 https://git.kernel.org/stable/c/e0a0c4903cbba351f0f5b5d104960d3a5b23202f https://git.kernel.org/stable/c/e5ff0ba4b6983cdbcc826efc201e7179ece5d46f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-26T19:41:11.932Z

Updated: 2026-06-26T19:41:11.932Z

Reserved: 2026-06-09T07:44:35.398Z

Link: CVE-2026-53320

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-27T06:00:12Z

Weaknesses

CWE-20

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object