CVE-2026-53369 in Linuxinfo

Summary

by MITRE • 07/19/2026

In the Linux kernel, the following vulnerability has been resolved:

udf: reject descriptors with oversized CRC length

udf_read_tagged() skips CRC verification when descCRCLength + sizeof(struct tag) exceeds the block size. A crafted UDF image can set descCRCLength to an oversized value to bypass CRC validation entirely; the descriptor is then accepted based solely on the 8-bit tag checksum, which is trivially recomputable.

Reject such descriptors instead of silently accepting them. A legitimate single-block descriptor should never have a CRC length that exceeds the block.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/19/2026

The vulnerability in question involves a critical flaw within the Linux kernel's Universal Disk Format UDF implementation where the udf_read_tagged() function fails to properly validate descriptor integrity checks. This weakness stems from insufficient bounds checking on the descCRCLength field which governs the length of the cyclic redundancy check data associated with each UDF descriptor. The vulnerability arises when a crafted UDF image deliberately sets the descCRCLength parameter to an oversized value that exceeds the available block size, effectively bypassing the CRC validation mechanism entirely.

When the descriptor's CRC length combined with the tag structure size surpasses the physical block boundaries, the kernel's UDF driver silently skips the CRC verification process rather than rejecting the malformed descriptor. This behavior creates a security loophole where malicious actors can construct specially formatted UDF images that exploit this validation gap by leveraging the 8-bit tag checksum instead of the more robust CRC validation. The 8-bit checksum is trivially computable and easily manipulated, making it insufficient protection against crafted malicious content.

This vulnerability directly relates to CWE-129 and CWE-704 within the Common Weakness Enumeration framework, representing weaknesses in input validation and improper handling of malformed data structures. The operational impact of this flaw extends beyond simple data corruption as it enables potential privilege escalation attacks through descriptor manipulation, allowing attackers to inject malicious content into UDF filesystems without proper integrity verification. The attack vector typically involves mounting a specially crafted UDF image that exploits this vulnerability during the filesystem parsing phase.

The mitigation strategy requires implementing strict bounds checking within the udf_read_tagged() function to reject any descriptors where the sum of descCRCLength and sizeof(struct tag) exceeds the block size limit. This enforcement ensures that legitimate single-block descriptors, which should never exceed their physical boundaries, are properly validated while preventing the bypass mechanism that allows oversized CRC lengths to skip integrity checks entirely. The fix aligns with ATT&CK technique T1068 by addressing privilege escalation vectors through kernel-level input validation. Additionally, this patch addresses security controls related to data integrity verification and proper resource management within filesystem drivers, preventing attackers from manipulating UDF descriptors to gain unauthorized access or execute malicious code through compromised filesystem parsing routines.

Responsible

Linux

Reservation

06/09/2026

Disclosure

07/19/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!