Impact
The vulnerability arises when the erofs decompression routine is scheduled to run after the file system is unmounted, resulting in a use‑after‑free of the superblock structure. This race condition enables an attacker who can trigger an unmount to cause kernel memory corruption, which in turn can be leveraged for arbitrary code execution at kernel privilege. The documented weakness is a classic example of a race condition that leads to use‑after‑free, aligning with CWE‑362.
Affected Systems
All configurations of the Linux kernel that compile with erofs support are susceptible. No specific kernel versions, so any release containing the erofs module prior to the referenced commit is potentially affected. The vulnerability is limited to systems that actually mount an erofs file system and have the ability to unmount it.
Risk and Exploitability
Because the flaw is triggered by the unmount sequence, an attacker must have the privilege to initiate an unmount, typically a local root or a user with sufficient rights to remount as unprivileged. No public exploit has been reported and the EPSS score is < 1%, while the CVSS score is 5.5, indicating moderate risk. The vulnerability is not listed in the CISA KEV catalog, indicating that it has not yet been widely leveraged in the wild. If the system runs untrusted code with authority to unmount the erofs file system it could lead to privilege escalation or a crash.
OpenCVE Enrichment