erofs: fix the out-of-bounds nameoff handling for trailing dirents

MITRE NVD CVE.ORG JSON API Print: PDF PDF

Summary

CVECVE-2026-46078
StatePUBLISHED
AssignerLinux
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-05-27 14:17:29 UTC
Updated2026-06-01 17:17:22 UTC
DescriptionIn the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com

Risk And Classification

Primary CVSS: v3.1 7.1 HIGH from 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

EPSS: 0.000130000 probability, percentile 0.022740000 (date 2026-06-02)

VersionSourceTypeScoreSeverityVector
3.1416baaa9-dc9f-4396-8d5f-8c081fb06d67Secondary7.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
3.1CNADECLARED7.1HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

CVSS v3.1 Breakdown

Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Linux Linux affected 3aa8ec716e52c02360457fa018296629b4d0becf 80a23c6d1aba35be8746d74ac14e6ba5ae46da21 git Not specified
CNA Linux Linux affected 3aa8ec716e52c02360457fa018296629b4d0becf 222055e6b4063abd2d9e13c3d49bbd1724c50789 git Not specified
CNA Linux Linux affected 3aa8ec716e52c02360457fa018296629b4d0becf 48b27a955d22391c7f30169fa7b6b2e1977f1ce4 git Not specified
CNA Linux Linux affected 3aa8ec716e52c02360457fa018296629b4d0becf 8ebb951a284b7446e025afc7dc5e9516ef9a7214 git Not specified
CNA Linux Linux affected 3aa8ec716e52c02360457fa018296629b4d0becf 1d55445226c75ddd4e78b09b3e7d99109b28c366 git Not specified
CNA Linux Linux affected 3aa8ec716e52c02360457fa018296629b4d0becf d18a3b5d337fa412a38e776e6b4b857a58836575 git Not specified
CNA Linux Linux affected 4.19 Not specified
CNA Linux Linux unaffected 4.19 semver Not specified
CNA Linux Linux unaffected 6.1.175 6.1.* semver Not specified
CNA Linux Linux unaffected 6.6.140 6.6.* semver Not specified
CNA Linux Linux unaffected 6.12.86 6.12.* semver Not specified
CNA Linux Linux unaffected 6.18.27 6.18.* semver Not specified
CNA Linux Linux unaffected 7.0.4 7.0.* semver Not specified
CNA Linux Linux unaffected 7.1-rc1 * original_commit_for_fix Not specified

References

ReferenceSourceLinkTags
git.kernel.org/stable/c/48b27a955d22391c7f30169fa7b6b2e1977f1ce4 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/1d55445226c75ddd4e78b09b3e7d99109b28c366 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/222055e6b4063abd2d9e13c3d49bbd1724c50789 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/80a23c6d1aba35be8746d74ac14e6ba5ae46da21 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/d18a3b5d337fa412a38e776e6b4b857a58836575 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
git.kernel.org/stable/c/8ebb951a284b7446e025afc7dc5e9516ef9a7214 416baaa9-dc9f-4396-8d5f-8c081fb06d67 git.kernel.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report