Skip to main content

Linux Kernel EUVDEUVD-2026-27717

| CVE-2026-43154 MEDIUM
2026-05-06 Linux GHSA-crh8-6485-fxq6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 12:00 vuln.today
CVSS changed
May 13, 2026 - 20:07 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix incorrect early exits in volume label handling

Crafted EROFS images containing valid volume labels can trigger incorrect early returns, leading to folio reference leaks.

However, this does not cause system crashes or other severe issues.

AnalysisAI

Folio reference leaks in the Linux kernel EROFS filesystem driver allow a local low-privileged user to cause gradual memory resource exhaustion by presenting crafted EROFS images with valid but specially structured volume labels. Affected kernel versions span multiple stable branches including the 6.18 and 6.19 series, as confirmed by ENISA EUVD-2026-27717 and upstream kernel commit data. No public exploit has been identified at time of analysis, and the vulnerability description explicitly limits impact to reference leaks without system crashes, which aligns with the low EPSS score of 0.02% (4th percentile).

Technical ContextAI

The affected component is the EROFS (Enhanced Read-Only File System) driver embedded in the Linux kernel, identified via CPE as cpe:2.3:a:linux:linux across multiple stable branches. EROFS is a compressed read-only filesystem used heavily in Android and embedded Linux deployments. The defect resides in the volume label handling routine, where crafted but structurally valid volume labels induce incorrect early returns - code paths that exit before properly decrementing folio reference counts. Folios are the kernel's abstraction for physically contiguous page-aligned memory regions; leaked folio references prevent the memory management subsystem from reclaiming those pages, causing gradual resource exhaustion. Although no CWE is formally assigned, the root cause class is improper resource lifecycle management on abnormal code paths - a well-understood kernel bug pattern. The vulnerability is triggered at filesystem parsing time, meaning any code path that causes the kernel to interpret an EROFS image (mounting, fsck, image inspection tools) can invoke the flawed routine.

RemediationAI

The primary fix is to apply one of three upstream kernel patches available in the Linux stable tree: commit 8d8a878ef60801d867119b3df6a93e2982d62a71 (https://git.kernel.org/stable/c/8d8a878ef60801d867119b3df6a93e2982d62a71), commit d498bd168494ad4a4bce16192bfb9ce04ca19c9a (https://git.kernel.org/stable/c/d498bd168494ad4a4bce16192bfb9ce04ca19c9a), or commit 3afa4da38802a4cba1c23848a32284e7e57b831b (https://git.kernel.org/stable/c/3afa4da38802a4cba1c23848a32284e7e57b831b), each targeting a different stable branch. Tagged release versions incorporating these commits have not been independently confirmed beyond the commit hashes - consumers of Red Hat or SUSE distributions should apply errata once published by those vendors. For environments where kernel patching is not immediately feasible, a compensating control is to restrict unprivileged user-namespace mounts by setting kernel.unprivileged_userns_clone=0 (where supported) or kernel.userns_restrict, which blocks low-privileged users from mounting arbitrary EROFS images; note this trade-off disables container and sandbox workloads that rely on unprivileged user namespaces. Additionally, auditing which users have the CAP_SYS_ADMIN capability or access to loop devices limits the attack surface.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27717 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy