Fedora Account System
Red Hat Associate
Red Hat Customer
A heap use-after-free vulnerability was found in libblkid's nested partition probing code in util-linux. The probe_bsd_pt() function in libblkid/src/partitions/bsd.c caches a blkid_partition parent pointer into the partlist's heap-allocated parts[] array, then loops calling blkid_partlist_add_partition(), which may reallocarray() the same array. After reallocation, the stale parent pointer is dereferenced via blkid_partition_get_start() — an 8-byte heap use-after-free read. The same dangling-pointer pattern exists in the minix, solaris_x86, and unixware nested probers. A crafted 2 MiB DOS/MBR disk image with three BSD-typed primaries (each holding >=16 slices) plus an md-raid 0.90 superblock triggers the issue via stock blkid -p. libblkid runs as root via udev/udisks on every block-device hot-plug event. Upstream fix: https://github.com/util-linux/util-linux/commit/c0186f14fbdb02f64c8e0ba701ce727ea764ff4c