RSS

A uint32 overflow in libblkid allows MBR destruction via crafted disk

ringzeropirate1 pts0 comments

Integer Overflow or Wraparound in libblkid/src/partitions/dos.c · Advisory · util-linux/util-linux · GitHub

//repos/advisories/show" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

//repos/advisories/show;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

util-linux

util-linux

Public

Notifications<br>You must be signed in to change notification settings

Fork<br>1.4k

Star<br>3.2k

Integer Overflow or Wraparound in libblkid/src/partitions/dos.c

High

karelzak<br>published<br>GHSA-h4rw-gv36-wmp5<br>Jun 16, 2026

Package

libblkid/src/partitions/dos.c<br>(util-linux)

Affected versions

Patched versions

2.42

Description

Summary

A uint32_t integer overflow in parse_dos_extended() at

libblkid/src/partitions/dos.c:96 in util-linux allows a crafted disk

image or removable media to cause libblkid to register a partition at

sector 0 (the MBR). The vulnerable addition (abs_start = cur_start +

start) lacks an overflow guard for EBR loop entries i=0 and i=1; the

existing bounds check only applies for i>=2. With cur_start=2 and

lba_start=0xFFFFFFFE: (uint32_t)(2 + 0xFFFFFFFE) = 0x00000000, which

is silently registered as a valid partition start. Downstream consumers

including udisks2 (running as root), blkid, and mkfs process this

value as a valid partition at disk sector 0.

Details

In parse_dos_extended(), the for-loop processes up to 4 EBR partition

entries. For entries at index 0 and 1, abs_start is computed and used

without any overflow check:

for (p = p0, i = 0; i start = dos_partition_get_start(p) * ssf; /* from disk */

size = dos_partition_get_size(p) * ssf;

abs_start = cur_start + start; /* LINE 96 — NO OVERFLOW GUARD */

if (!size || is_extended(p))

continue;

if (i >= 2) { /* bounds check ONLY for i >= 2 */

if (start + size > cur_size) continue;

if (abs_start par = blkid_partlist_add_partition(ls, tab, abs_start, size); /* SINK */

With a crafted MBR providing lba_start = 0xFFFFFFFE in EBR entry 0

(cur_start = 2):

abs_start = (uint32_t)(2 + 0xFFFFFFFE)

= (uint32_t)(0x100000000)

= 0x00000000 The wrapped value is passed directly to blkid_partlist_add_partition(),

registering a fake partition covering the MBR and partition table.

PoC

The crafted image triggers the overflow.

Output of partx on Ubuntu 24.04:

$ partx --show crafted_overflow.img

NR START END SECTORS SIZE NAME UUID

1 2 4294967293 4294967292 2T

5 0 255 256 128K

Partition 5 at START=0 is the overflow result — sector 0 is the MBR.

A clean reference image (also attached) produces no partition at sector 0.

Impact

When libblkid registers abs_start=0 as a valid partition, this

value propagates as PART_ENTRY_OFFSET=0 to udisks2 via the dbus

interface. On desktop Linux systems with automount rules, udisks2

runs as root and can trigger mkfs on newly detected partitions.

If mkfs is invoked on the "partition" at sector 0:

mkfs.ext2 -E offset=0 /dev/sdX<br>→ ext2 superblock written at sector 0<br>→ MBR and partition table overwritten<br>→ disk becomes unbootable

CVSS METRIC JUSTIFICATIONS

UI: None — No User Interaction Required

────────────────────────────────────────

In automated cloud and containerized environments, libblkid is invoked

by system daemons without any user executing a command.

When a block device is attached to a cloud instance (AWS EBS, GCP

Persistent Disk, Azure Disk), the following chain executes entirely

without human intervention:

disk attach event

→ udevd receives block device add event (kernel, automatic)

→ cloud-init disk_setup module probes the volume (automatic)

→ udev rules invoke blkid on the new device (automatic)

→ libblkid calls parse_dos_extended() (automatic)

→ PART_ENTRY_OFFSET=0 propagated to udisks2 via dbus (automatic)

Additional automated invocation contexts:

CI/CD pipelines using libguestfs or virt-inspector for disk

image analysis (no operator present, triggered by scheduler)

Kubernetes CSI drivers calling NodeStageVolume on PersistentVolume

attachment (kubelet-driven, no human action required)

systemd-repart executing at boot to validate and format partitions

LVM/multipath udev rules triggering partition re-read on device-add

In all these scenarios, the vulnerable code path is reached without

any user taking a deliberate...

partition overflow libblkid disk linux abs_start

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users

Britain Became as Poor as Mississippi

SanjayMehta15 ptsbritain mississippi next financial crisis self
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.