Skip to main content

Linux Kernel EROFS EUVDEUVD-2026-27729

| CVE-2026-43166 HIGH
Out-of-bounds Write (CWE-787)
2026-05-06 Linux GHSA-78rx-cxmq-q7qg
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:32 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.1 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
HIGH 7.1

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix interlaced plain identification for encoded extents

Only plain data whose start position and on-disk physical length are both aligned to the block size should be classified as interlaced plain extents. Otherwise, it must be treated as shifted plain extents.

This issue was found by syzbot using a crafted compressed image containing plain extents with unaligned physical lengths, which can cause OOB read in z_erofs_transform_plain().

AnalysisAI

Out-of-bounds read in Linux kernel EROFS filesystem allows local attackers with user interaction to read kernel memory and cause denial of service via crafted compressed images. The vulnerability stems from incorrect classification of unaligned plain extents, triggering OOB access in z_erofs_transform_plain(). Vendor patches are available across multiple stable kernel branches (6.15, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, with no active exploitation confirmed at time of analysis.

Technical ContextAI

EROFS (Enhanced Read-Only File System) is a lightweight, high-performance read-only filesystem for Linux designed for embedded and mobile devices. This vulnerability affects the extent management logic in EROFS's compressed data handling. The kernel code incorrectly identifies 'interlaced plain extents' when processing encoded (compressed) extents. According to the fix commits, plain data extents must have both their start position AND on-disk physical length aligned to the block size to be classified as interlaced plain extents. The vulnerable code misclassifies unaligned extents as interlaced when they should be treated as 'shifted plain extents,' causing z_erofs_transform_plain() to perform out-of-bounds reads when processing these misidentified structures. This represents a memory safety issue in filesystem parsing code that handles untrusted disk images. The CPE strings indicate broad applicability across Linux kernel versions, though specific affected version ranges require verification against the commit ancestry.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.16, 6.19.6, 7.0, or later stable releases incorporating the fix commits. Distribution-specific patches: Ubuntu, Debian, RHEL, SUSE, and other enterprise distributions will release security updates through their normal kernel update channels - apply these as soon as available. For systems that cannot immediately patch, implement these compensating controls with trade-offs: (1) Restrict EROFS filesystem mounting to trusted administrators only via filesystem type blocking in mount options or AppArmor/SELinux policies - side effect: breaks legitimate use cases requiring EROFS access. (2) Disable EROFS kernel module loading by blacklisting erofs module in /etc/modprobe.d/ - side effect: prevents all EROFS filesystem usage, may break Android emulation or embedded development workflows. (3) Deploy kernel runtime guards like grsecurity or PaX if available for your kernel version - side effect: performance overhead and potential compatibility issues with third-party modules. Upstream fix commits viewable at https://git.kernel.org/stable/c/4a2d046e4b13202a6301a993961f5b30ae4d7119, https://git.kernel.org/stable/c/9d5a97bc71ed5783687705c708454c4453aa91d1, and https://git.kernel.org/stable/c/d3790f26d38606f020212486359b84632c19d08b. Verify your kernel version against the affected commit ancestry before deploying workarounds.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy