{"api_version":"1","generated_at":"2026-06-03T02:57:20+00:00","cve":"CVE-2026-45943","urls":{"html":"https://cve.report/CVE-2026-45943","api":"https://cve.report/api/cve/CVE-2026-45943.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45943","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45943"},"summary":{"title":"erofs: fix inline data read failure for ztailpacking pclusters","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inline data read failure for ztailpacking pclusters\n\nCompressed folios for ztailpacking pclusters must be valid before adding\nthese pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster()\nmay assume they are already valid and then trigger a NULL pointer\ndereference.\n\nIt is somewhat hard to reproduce because the inline data is in the same\nblock as the tail of the compressed indexes, which are usually read just\nbefore. However, it may still happen if a fatal signal arrives while\nread_mapping_folio() is running, as shown below:\n\n erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n\n ...\n\n pc : z_erofs_decompress_queue+0x4c8/0xa14\n lr : z_erofs_decompress_queue+0x160/0xa14\n sp : ffffffc08b3eb3a0\n x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000\n x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001\n x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700\n x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098\n x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004\n x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9\n x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f\n x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020\n x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n  z_erofs_decompress_queue+0x4c8/0xa14\n  z_erofs_runqueue+0x908/0x97c\n  z_erofs_read_folio+0x128/0x228\n  filemap_read_folio+0x68/0x128\n  filemap_get_pages+0x44c/0x8b4\n  filemap_read+0x12c/0x5b8\n  generic_file_read_iter+0x4c/0x15c\n  do_iter_readv_writev+0x188/0x1e0\n  vfs_iter_read+0xac/0x1a4\n  backing_file_read_iter+0x170/0x34c\n  ovl_read_iter+0xf0/0x140\n  vfs_read+0x28c/0x344\n  ksys_read+0x80/0xf0\n  __arm64_sys_read+0x24/0x34\n  invoke_syscall+0x60/0x114\n  el0_svc_common+0x88/0xe4\n  do_el0_svc+0x24/0x30\n  el0_svc+0x40/0xa8\n  el0t_64_sync_handler+0x70/0xbc\n  el0t_64_sync+0x1bc/0x1c0\n\nFix this by reading the inline data before allocating and adding\nthe pclusters to the I/O chains.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-27 14:17:10","updated_at":"2026-05-27 14:48:03"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/5de1aa0bf3a5db0b3cbf61959da5ac61250833ed","name":"https://git.kernel.org/stable/c/5de1aa0bf3a5db0b3cbf61959da5ac61250833ed","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/92088bd9aa2a7246bba8b9648fbc64edd173cf17","name":"https://git.kernel.org/stable/c/92088bd9aa2a7246bba8b9648fbc64edd173cf17","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ad07ea069f924465061cfee40ef2861bb99f4dd8","name":"https://git.kernel.org/stable/c/ad07ea069f924465061cfee40ef2861bb99f4dd8","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c134a40f86efb8d6b5a949ef70e06d5752209be5","name":"https://git.kernel.org/stable/c/c134a40f86efb8d6b5a949ef70e06d5752209be5","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45943","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45943","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected cecf864d3d76d50e3d9c58145e286a0b8c284e92 ad07ea069f924465061cfee40ef2861bb99f4dd8 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected cecf864d3d76d50e3d9c58145e286a0b8c284e92 5de1aa0bf3a5db0b3cbf61959da5ac61250833ed git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected cecf864d3d76d50e3d9c58145e286a0b8c284e92 92088bd9aa2a7246bba8b9648fbc64edd173cf17 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected cecf864d3d76d50e3d9c58145e286a0b8c284e92 c134a40f86efb8d6b5a949ef70e06d5752209be5 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.17","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.17 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.78 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.14 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.4 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"45943","cve":"CVE-2026-45943","epss":"0.000180000","percentile":"0.048460000","score_date":"2026-06-01","updated_at":"2026-06-02 00:05:21"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/erofs/zdata.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"ad07ea069f924465061cfee40ef2861bb99f4dd8","status":"affected","version":"cecf864d3d76d50e3d9c58145e286a0b8c284e92","versionType":"git"},{"lessThan":"5de1aa0bf3a5db0b3cbf61959da5ac61250833ed","status":"affected","version":"cecf864d3d76d50e3d9c58145e286a0b8c284e92","versionType":"git"},{"lessThan":"92088bd9aa2a7246bba8b9648fbc64edd173cf17","status":"affected","version":"cecf864d3d76d50e3d9c58145e286a0b8c284e92","versionType":"git"},{"lessThan":"c134a40f86efb8d6b5a949ef70e06d5752209be5","status":"affected","version":"cecf864d3d76d50e3d9c58145e286a0b8c284e92","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/erofs/zdata.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.17"},{"lessThan":"5.17","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.78","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.14","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.4","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"5.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.14","versionStartIncluding":"5.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.4","versionStartIncluding":"5.17","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"5.17","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inline data read failure for ztailpacking pclusters\n\nCompressed folios for ztailpacking pclusters must be valid before adding\nthese pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster()\nmay assume they are already valid and then trigger a NULL pointer\ndereference.\n\nIt is somewhat hard to reproduce because the inline data is in the same\nblock as the tail of the compressed indexes, which are usually read just\nbefore. However, it may still happen if a fatal signal arrives while\nread_mapping_folio() is running, as shown below:\n\n erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n\n ...\n\n pc : z_erofs_decompress_queue+0x4c8/0xa14\n lr : z_erofs_decompress_queue+0x160/0xa14\n sp : ffffffc08b3eb3a0\n x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000\n x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001\n x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700\n x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098\n x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004\n x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9\n x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f\n x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020\n x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n  z_erofs_decompress_queue+0x4c8/0xa14\n  z_erofs_runqueue+0x908/0x97c\n  z_erofs_read_folio+0x128/0x228\n  filemap_read_folio+0x68/0x128\n  filemap_get_pages+0x44c/0x8b4\n  filemap_read+0x12c/0x5b8\n  generic_file_read_iter+0x4c/0x15c\n  do_iter_readv_writev+0x188/0x1e0\n  vfs_iter_read+0xac/0x1a4\n  backing_file_read_iter+0x170/0x34c\n  ovl_read_iter+0xf0/0x140\n  vfs_read+0x28c/0x344\n  ksys_read+0x80/0xf0\n  __arm64_sys_read+0x24/0x34\n  invoke_syscall+0x60/0x114\n  el0_svc_common+0x88/0xe4\n  do_el0_svc+0x24/0x30\n  el0_svc+0x40/0xa8\n  el0t_64_sync_handler+0x70/0xbc\n  el0t_64_sync+0x1bc/0x1c0\n\nFix this by reading the inline data before allocating and adding\nthe pclusters to the I/O chains."}],"providerMetadata":{"dateUpdated":"2026-05-27T12:17:58.764Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/ad07ea069f924465061cfee40ef2861bb99f4dd8"},{"url":"https://git.kernel.org/stable/c/5de1aa0bf3a5db0b3cbf61959da5ac61250833ed"},{"url":"https://git.kernel.org/stable/c/92088bd9aa2a7246bba8b9648fbc64edd173cf17"},{"url":"https://git.kernel.org/stable/c/c134a40f86efb8d6b5a949ef70e06d5752209be5"}],"title":"erofs: fix inline data read failure for ztailpacking pclusters","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-45943","datePublished":"2026-05-27T12:17:58.764Z","dateReserved":"2026-05-13T15:03:33.087Z","dateUpdated":"2026-05-27T12:17:58.764Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-27 14:17:10","lastModifiedDate":"2026-05-27 14:48:03","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45943","Ordinal":"1","Title":"erofs: fix inline data read failure for ztailpacking pclusters","CVE":"CVE-2026-45943","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45943","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix inline data read failure for ztailpacking pclusters\n\nCompressed folios for ztailpacking pclusters must be valid before adding\nthese pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster()\nmay assume they are already valid and then trigger a NULL pointer\ndereference.\n\nIt is somewhat hard to reproduce because the inline data is in the same\nblock as the tail of the compressed indexes, which are usually read just\nbefore. However, it may still happen if a fatal signal arrives while\nread_mapping_folio() is running, as shown below:\n\n erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008\n\n ...\n\n pc : z_erofs_decompress_queue+0x4c8/0xa14\n lr : z_erofs_decompress_queue+0x160/0xa14\n sp : ffffffc08b3eb3a0\n x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000\n x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001\n x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700\n x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098\n x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004\n x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9\n x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000\n x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f\n x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020\n x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000\n Call trace:\n  z_erofs_decompress_queue+0x4c8/0xa14\n  z_erofs_runqueue+0x908/0x97c\n  z_erofs_read_folio+0x128/0x228\n  filemap_read_folio+0x68/0x128\n  filemap_get_pages+0x44c/0x8b4\n  filemap_read+0x12c/0x5b8\n  generic_file_read_iter+0x4c/0x15c\n  do_iter_readv_writev+0x188/0x1e0\n  vfs_iter_read+0xac/0x1a4\n  backing_file_read_iter+0x170/0x34c\n  ovl_read_iter+0xf0/0x140\n  vfs_read+0x28c/0x344\n  ksys_read+0x80/0xf0\n  __arm64_sys_read+0x24/0x34\n  invoke_syscall+0x60/0x114\n  el0_svc_common+0x88/0xe4\n  do_el0_svc+0x24/0x30\n  el0_svc+0x40/0xa8\n  el0t_64_sync_handler+0x70/0xbc\n  el0t_64_sync+0x1bc/0x1c0\n\nFix this by reading the inline data before allocating and adding\nthe pclusters to the I/O chains.","Type":"Description","Title":"erofs: fix inline data read failure for ztailpacking pclusters"}]}}}