Bug 2494101 (CVE-2026-13595) - CVE-2026-13595 util-linux: util-linux: heap use-after-free in libblkid nested partition probing
Summary: CVE-2026-13595 util-linux: util-linux: heap use-after-free in libblkid nested...
Keywords:
Status: NEW
Alias: CVE-2026-13595
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2494103
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-29 07:41 UTC by OSIDB Bzimport
Modified: 2026-06-29 08:01 UTC (History)
10 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-29 07:41:05 UTC
A heap use-after-free vulnerability was found in libblkid's nested partition probing code in util-linux. The probe_bsd_pt() function in libblkid/src/partitions/bsd.c caches a blkid_partition parent pointer into the partlist's heap-allocated parts[] array, then loops calling blkid_partlist_add_partition(), which may reallocarray() the same array. After reallocation, the stale parent pointer is dereferenced via blkid_partition_get_start() — an 8-byte heap use-after-free read. The same dangling-pointer pattern exists in the minix, solaris_x86, and unixware nested probers.

A crafted 2 MiB DOS/MBR disk image with three BSD-typed primaries (each holding >=16 slices) plus an md-raid 0.90 superblock triggers the issue via stock blkid -p. libblkid runs as root via udev/udisks on every block-device hot-plug event.

Upstream fix: https://github.com/util-linux/util-linux/commit/c0186f14fbdb02f64c8e0ba701ce727ea764ff4c


Note You need to log in before you can comment on or make changes to this bug.