Description
In the Linux kernel, the following vulnerability has been resolved:

erofs: fix the out-of-bounds nameoff handling for trailing dirents

Currently we already have boundary-checks for nameoffs, but the trailing
dirents are special since the namelens are calculated with strnlen()
with unchecked nameoffs.

If a crafted EROFS has a trailing dirent with nameoff >= maxsize,
maxsize - nameoff can underflow, causing strnlen() to read past the
directory block.

nameoff0 should also be verified to be a multiple of
`sizeof(struct erofs_dirent)` as well [1].

[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel erofs filesystem, a flaw in the handling of trailing dirents can cause an out‑of‑bounds read when a crafted name offset exceeds the buffer size. This allows a maliciously constructed erofs image to expose kernel memory contents, potentially leaking sensitive data and enabling further exploitation.

Affected Systems

All Linux kernel images that include the erofs module without the recent patch are potentially affected. The advisory does not list specific kernel versions, so any unpatched system running erofs may be vulnerable.

Risk and Exploitability

The EPSS score is not available and the CVE is not listed in the CISA KEV catalog. No CVSS score is provided, so the quantified severity is unknown. Exploitation requires a crafted EROFS image; thus the likely attack vector is local, potentially requiring elevated privileges to mount the file system. An attacker with local access could read arbitrary kernel memory, which might be used to gain higher privileges.

Generated by OpenCVE AI on May 27, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a kernel release that includes the erofs patch
  • Disable or restrict mounting of erofs filesystems on untrusted directories
  • Configure the system to reject malformed EROFS images at mount time

Generated by OpenCVE AI on May 27, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
Title erofs: fix the out-of-bounds nameoff handling for trailing dirents
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:58:11.916Z

Reserved: 2026-05-13T15:03:33.096Z

Link: CVE-2026-46078

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:29.143

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-46078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T18:15:21Z

Weaknesses