erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

CVE	CVE-2026-45999
State	PUBLISHED
Assigner	Linux
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-27 14:17:17 UTC
Updated	2026-05-30 11:17:17 UTC
Description	In the Linux kernel, the following vulnerability has been resolved: erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: "outpages - inpages" wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array. However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path. Let's add an additional check to fix this for backporting. Reproducible image (base64-encoded gzipped blob): H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA= $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1

Primary CVSS: v3.1 7.1 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

EPSS: 0.000130000 probability, percentile 0.022440000 (date 2026-06-02)

Version	Source	Type	Score	Severity	Vector
3.1	416baaa9-dc9f-4396-8d5f-8c081fb06d67	Secondary	7.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H`
3.1	CNA	DECLARED	7.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Source	Vendor	Product	Version	Platforms
CNA	Linux	Linux	affected 598162d050801e556750defff4ddab499e5d76ed 43a878639b90e9721ffa5eb616a7e6d8454adef3 git	Not specified
CNA	Linux	Linux	affected 598162d050801e556750defff4ddab499e5d76ed f1374fa6e57fd836623668d782ded9244cfd2938 git	Not specified
CNA	Linux	Linux	affected 598162d050801e556750defff4ddab499e5d76ed c9ce18e6bb2c467ec85756dc7989b547b7584fee git	Not specified
CNA	Linux	Linux	affected 598162d050801e556750defff4ddab499e5d76ed bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e git	Not specified
CNA	Linux	Linux	affected 598162d050801e556750defff4ddab499e5d76ed 21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab git	Not specified
CNA	Linux	Linux	affected 5.13	Not specified
CNA	Linux	Linux	unaffected 5.13 semver	Not specified
CNA	Linux	Linux	unaffected 6.6.140 6.6.* semver	Not specified
CNA	Linux	Linux	unaffected 6.12.88 6.12.* semver	Not specified
CNA	Linux	Linux	unaffected 6.18.30 6.18.* semver	Not specified
CNA	Linux	Linux	unaffected 7.0.4 7.0.* semver	Not specified
CNA	Linux	Linux	unaffected 7.1-rc1 * original_commit_for_fix	Not specified

Reference	Source	Link	Tags
git.kernel.org/stable/c/f1374fa6e57fd836623668d782ded9244cfd2938	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/c9ce18e6bb2c467ec85756dc7989b547b7584fee	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/43a878639b90e9721ffa5eb616a7e6d8454adef3	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
git.kernel.org/stable/c/21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab	416baaa9-dc9f-4396-8d5f-8c081fb06d67	git.kernel.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.