Skip to main content

Linux Kernel CVE-2026-46078

| EUVDEUVD-2026-32460 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4rmv-8gm3-jwx2
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:44 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix the out-of-bounds nameoff handling for trailing dirents

Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs.

If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block.

nameoff0 should also be verified to be a multiple of sizeof(struct erofs_dirent) as well [1].

[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com

AnalysisAI

Out-of-bounds read in the Linux kernel's EROFS filesystem driver allows a local attacker to crash the system or potentially leak kernel memory by mounting a crafted EROFS image. The flaw stems from missing validation of the trailing dirent nameoff field, which can underflow during strnlen() and cause reads beyond the directory block. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but a vendor patch is available across multiple stable kernel branches.

Technical ContextAI

EROFS (Enhanced Read-Only File System) is a Linux kernel filesystem optimized for read-only workloads such as Android system partitions and container images. The bug lives in dirent parsing: while existing code performs boundary checks on most nameoff fields, the trailing dirent computes its name length via strnlen() using maxsize - nameoff without first validating that nameoff is within bounds. When a malicious image sets nameoff >= maxsize, the unsigned subtraction underflows to a huge value, causing strnlen() to scan past the directory block. The patch additionally requires nameoff0 to be a multiple of sizeof(struct erofs_dirent). This is a classic out-of-bounds read / buffer over-read bug class (CWE-125), triggered by untrusted on-disk metadata reaching a length calculation without sanitization.

RemediationAI

Upgrade to a vendor-released patched kernel: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 (or any later release), choosing the LTS branch matching your deployment, with stable-tree commits available at https://git.kernel.org/stable/c/d18a3b5d337fa412a38e776e6b4b857a58836575 and the sibling references in the NVD record. Where immediate patching is not possible, mitigate by disallowing mounting of untrusted EROFS images: disable automounting of removable media (e.g., mask udisks2 auto-mount rules), restrict CAP_SYS_ADMIN and user-namespace mount privileges (sysctl kernel.unprivileged_userns_clone=0 on Debian/Ubuntu), and validate container/OCI image provenance before mount - the trade-off is reduced convenience for removable media users and constraints on rootless container runtimes that rely on unprivileged user namespaces. On systems that do not need EROFS at all, blacklist the erofs module via /etc/modprobe.d to prevent autoload.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy