CVE-2026-13595 | A flaw was found in the libblkid library of util-linux. Duri… | CVSS 6.8 MEDIUM

Description

A flaw was found in the libblkid library of util-linux. During nested partition probing, the BSD, Minix, Solaris x86, and UnixWare partition probers cache a raw pointer to a parent partition entry in a dynamically allocated array. When subsequent partition additions cause the array to be reallocated, this pointer becomes stale, leading to a heap use-after-free read. An attacker who can present a crafted block device image (for example, via USB insertion or a loop-mounted disk image) can trigger this flaw without user interaction, as libblkid is invoked automatically by udev/udisks as root on block-device hot-plug events. This could lead to limited information disclosure or denial of service.

Metadata

CVE ID: CVE-2026-13595
State: PUBLISHED
Assigner: redhat
Reserved: 2026-06-29 07:20 UTC
Published: 2026-06-29 08:06 UTC
Last updated: 2026-06-29 08:06 UTC
Primary CWE: CWE-416
Use After Free
Vendor / Product: Red Hat / Red Hat Enterprise Linux 10
Sources: cve.org · NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Affected products (6)

Vendor	Product	Platform	Versions
Red Hat	Red Hat Enterprise Linux 10	—	—
Red Hat	Red Hat Enterprise Linux 7	—	—
Red Hat	Red Hat Enterprise Linux 8	—	—
Red Hat	Red Hat Enterprise Linux 9	—	—
Red Hat	Red Hat Hardened Images	—	—
Red Hat	Red Hat OpenShift Container Platform 4	—	—

Weakness (CWE)

CWE	Source	Description
CWE-416	cna	Use After Free

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.8	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

References (3)