Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Linux Kernel: Incorrect Block Size Can Crash the System
CVE-2026-23238
Summary
A bug in the Linux kernel can cause a system crash when using a specific type of file system. This happens when a file system is mounted with an incorrect block size, leading to a kernel error. To fix this, the kernel has been updated to check for and prevent this incorrect block size from being used.
Original title
In the Linux kernel, the following vulnerability has been resolved:
romfs: check sb_set_blocksize() return value
romfs_fill_super() ignores the return value of sb_set_blocksize(), which
can fail ...
Original description
In the Linux kernel, the following vulnerability has been resolved:
romfs: check sb_set_blocksize() return value
romfs_fill_super() ignores the return value of sb_set_blocksize(), which
can fail if the requested block size is incompatible with the block
device's configuration.
This can be triggered by setting a loop device's block size larger than
PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs
filesystem on that device.
When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the
device has logical_block_size=32768, bdev_validate_blocksize() fails
because the requested size is smaller than the device's logical block
size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and
continues mounting.
The superblock's block size remains at the device's logical block size
(32768). Later, when sb_bread() attempts I/O with this oversized block
size, it triggers a kernel BUG in folio_set_bh():
kernel BUG at fs/buffer.c:1582!
BUG_ON(size > PAGE_SIZE);
Fix by checking the return value of sb_set_blocksize() and failing the
mount with -EINVAL if it returns 0.
romfs: check sb_set_blocksize() return value
romfs_fill_super() ignores the return value of sb_set_blocksize(), which
can fail if the requested block size is incompatible with the block
device's configuration.
This can be triggered by setting a loop device's block size larger than
PAGE_SIZE using ioctl(LOOP_SET_BLOCK_SIZE, 32768), then mounting a romfs
filesystem on that device.
When sb_set_blocksize(sb, ROMBSIZE) is called with ROMBSIZE=4096 but the
device has logical_block_size=32768, bdev_validate_blocksize() fails
because the requested size is smaller than the device's logical block
size. sb_set_blocksize() returns 0 (failure), but romfs ignores this and
continues mounting.
The superblock's block size remains at the device's logical block size
(32768). Later, when sb_bread() attempts I/O with this oversized block
size, it triggers a kernel BUG in folio_set_bh():
kernel BUG at fs/buffer.c:1582!
BUG_ON(size > PAGE_SIZE);
Fix by checking the return value of sb_set_blocksize() and failing the
mount with -EINVAL if it returns 0.
- https://git.kernel.org/stable/c/2c5829cd8fbbc91568c520b666898f57cdcb8cf6
- https://git.kernel.org/stable/c/4b71ad7676564a94ec5f7d18298f51e8ae53db73
- https://git.kernel.org/stable/c/9b203b8ddd7359270e8a694d0584743555128e2c
- https://git.kernel.org/stable/c/a381f0f61b35c8894b0bd0d6acef2d8f9b08b244
- https://git.kernel.org/stable/c/ab7ad7abb3660c58ffffdf07ff3bb976e7e0afa0
- https://git.kernel.org/stable/c/cbd9931e6456822067725354d83446c5bb813030
- https://git.kernel.org/stable/c/f2521ab1f63a8c244f06a080319e5ff9a2e1bd95
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026