Bug 2494101 (CVE-2026-13595)

Summary: CVE-2026-13595 util-linux: util-linux: heap use-after-free in libblkid nested partition probing
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gtanzill, jbuscemi, jmitchel, kshier, pbohmill, rhel-process-autobot, stcannon, teagle, watson-tool-maintainers, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2494103    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-29 07:41:05 UTC
A heap use-after-free vulnerability was found in libblkid's nested partition probing code in util-linux. The probe_bsd_pt() function in libblkid/src/partitions/bsd.c caches a blkid_partition parent pointer into the partlist's heap-allocated parts[] array, then loops calling blkid_partlist_add_partition(), which may reallocarray() the same array. After reallocation, the stale parent pointer is dereferenced via blkid_partition_get_start() — an 8-byte heap use-after-free read. The same dangling-pointer pattern exists in the minix, solaris_x86, and unixware nested probers.

A crafted 2 MiB DOS/MBR disk image with three BSD-typed primaries (each holding >=16 slices) plus an md-raid 0.90 superblock triggers the issue via stock blkid -p. libblkid runs as root via udev/udisks on every block-device hot-plug event.

Upstream fix: https://github.com/util-linux/util-linux/commit/c0186f14fbdb02f64c8e0ba701ce727ea764ff4c