Description
In the Linux kernel, the following vulnerability has been resolved:

erofs: fix the out-of-bounds nameoff handling for trailing dirents

Currently we already have boundary-checks for nameoffs, but the trailing
dirents are special since the namelens are calculated with strnlen()
with unchecked nameoffs.

If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
maxsize - nameoff can underflow, causing strnlen() to read past the
directory block.

nameoff0 should also be verified to be a multiple of
`sizeof(struct erofs_dirent)` as well [1].

[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
Published: 2026-05-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the erofs filesystem of the Linux kernel allows an out‑of-bounds read when a crafted filesystem image contains a trailing directory entry whose name offset exceeds the allocated buffer. The unchecked name offset causes the kernel to call strnlen() with an overly large limit, leading to a read past the end of the data block. This overread can expose kernel memory contents, potentially revealing secrets or other sensitive information, and could be leveraged as a foothold for further privilege escalation. The weakness is a classic buffer overread and improper bounds checking, identified as CWE‑805.

Affected Systems

All Linux kernel builds that compile the erofs filesystem module and have not applied the recent patch are vulnerable. The advisory does not list specific kernel releases, so any unpatched kernel capable of mounting erofs filesystems is affected.

Risk and Exploitability

The CVSS score of 7.1 reflects high severity. With an EPSS score of <1%, the likelihood of exploitation remains unclear, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a maliciously crafted EROFS image that can be mounted, implying a local attack scenario or a scenario where the target system mounts untrusted filesystems, such as a networked file share or a container image. Once the filesystem is mounted, the kernel performs the unbounded read and leaks memory contents. The attack vector is inferred from the description and is not explicitly stated in the payload.

Generated by OpenCVE AI on May 30, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel version that includes the erofs patch
  • Disable or restrict the erofs module so that untrusted EROFS images cannot be mounted
  • Configure the system to reject malformed EROFS images at mount time by tightening mount‑time validation or disabling mount options that allow potentially unsafe filesystems

Generated by OpenCVE AI on May 30, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
References

Sat, 30 May 2026 11:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H'}

Thu, 28 May 2026 04:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
Title erofs: fix the out-of-bounds nameoff handling for trailing dirents
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-14T17:52:41.359Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46078

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:29.143

Modified: 2026-06-01T17:17:22.650

Link: CVE-2026-46078

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-46078 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T12:45:23Z

Weaknesses
  • CWE-805

    Buffer Access with Incorrect Length Value