Impact
The issue involves the erofs file‑system component of the Linux kernel where the logical cluster number (lcn) was typed as a 32‑bit unsigned value on 32‑bit platforms. When the kernel calculated a block address by shifting the value left by the number of bits per cluster, the 32‑bit truncation caused the address to wrap at 4 GiB. This resulted in incorrect block locations and the possibility of data corruption or unpredictable disk access. The patch changes the type to a 64‑bit unsigned value so the address calculation is correct for all supported platforms.
Affected Systems
All Linux kernel installations on 32‑bit architectures are potentially affected. No specific kernel release is listed, suggesting the issue existed across multiple 32‑bit kernels before the patch was merged.
Risk and Exploitability
With a CVSS.5 and an EPSS score of < 1%, the vulnerability is assessed as moderate severity. The impact on data integrity and potential kernel crashes indicates a moderate risk for affected systems. The patch is already applied in newer kernel releases, so the primary vector is a local attack that could execute leveraged file system operations. The vulnerability is not listed in CISA KEV, indicating it is not a known widely exploited exploit at this time.
OpenCVE Enrichment