[ANNOUNCE] util-linux v2.41.4

Next message: Greg Kroah-Hartman: "Re: [PATCH v3] staging: sm750fb: constify fix_id array"
Previous message: Dmitry Baryshkov: "Re: (subset) [PATCH v4 0/9] media: iris: migrate to using global UBWC config"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Karel Zak

Date: Wed Apr 01 2026 - 07:49:23 EST

The util-linux release v2.41.4 is now available at

http://www.kernel.org/pub/linux/utils/util-linux/v2.41

This is a security maintenance release addressing:

CVE-2026-27456 - mount(8) TOCTOU symlink attack via loop device.
The SUID mount follows symlinks when resolving loop backing file
paths. On systems where non-root users are permitted to mount loop
devices (via 'user' option in fstab), this allows access to
arbitrary files.

CWE-190 - Integer overflow in libblkid parse_dos_extended().
A crafted MBR disk image can cause uint32_t wraparound in EBR
chain processing, causing reported partitions to not match the
on-disk layout. Tools like udisks may then register a partition
at logical sector 0.

Feedback and bug reports, as always, are welcomed.

Karel

--
Karel Zak <kzak@xxxxxxxxxx>
http://karelzak.blogspot.com