Skip to main content

Linux Kernel EUVDEUVD-2026-32227

| CVE-2026-45943 HIGH
Out-of-bounds Read (CWE-125)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-w8vj-mr98-9j85
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
4.7 MEDIUM

Local read of a crafted EROFS image with a signal-timing race (AC:H, PR:L); impact is a NULL-deref kernel crash, so A:H and C:N/I:N rather than the input's C:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 19:32 vuln.today
CVSS changed
Jun 24, 2026 - 17:22 NVD
7.1 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.1
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix inline data read failure for ztailpacking pclusters

Compressed folios for ztailpacking pclusters must be valid before adding these pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster() may assume they are already valid and then trigger a NULL pointer dereference.

It is somewhat hard to reproduce because the inline data is in the same block as the tail of the compressed indexes, which are usually read just before. However, it may still happen if a fatal signal arrives while read_mapping_folio() is running, as shown below:

erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008

...

pc : z_erofs_decompress_queue+0x4c8/0xa14 lr : z_erofs_decompress_queue+0x160/0xa14 sp : ffffffc08b3eb3a0 x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000 x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001 x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700 x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098 x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004 x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9 x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: z_erofs_decompress_queue+0x4c8/0xa14 z_erofs_runqueue+0x908/0x97c z_erofs_read_folio+0x128/0x228 filemap_read_folio+0x68/0x128 filemap_get_pages+0x44c/0x8b4 filemap_read+0x12c/0x5b8 generic_file_read_iter+0x4c/0x15c do_iter_readv_writev+0x188/0x1e0 vfs_iter_read+0xac/0x1a4 backing_file_read_iter+0x170/0x34c ovl_read_iter+0xf0/0x140 vfs_read+0x28c/0x344 ksys_read+0x80/0xf0 __arm64_sys_read+0x24/0x34 invoke_syscall+0x60/0x114 el0_svc_common+0x88/0xe4 do_el0_svc+0x24/0x30 el0_svc+0x40/0xa8 el0t_64_sync_handler+0x70/0xbc el0t_64_sync+0x1bc/0x1c0

Fix this by reading the inline data before allocating and adding the pclusters to the I/O chains.

AnalysisAI

Kernel NULL pointer dereference in the Linux EROFS compressed filesystem driver allows a local user reading from an EROFS image to crash the system. The flaw lives in z_erofs_decompress_pcluster(), where compressed folios for ztailpacking pclusters are added to I/O chains before being validated; if inline-data reading fails (notably when a fatal signal interrupts read_mapping_folio()), decompression assumes the folios are valid and dereferences a NULL pointer. There is no public exploit identified at time of analysis, EPSS is negligible (0.02%), and the issue is not in CISA KEV.

Technical ContextAI

EROFS (Enhanced Read-Only File System) is a Linux kernel filesystem widely used for read-only images on Android and container/overlay deployments. The bug is in its LZ compression path, specifically 'ztailpacking' pclusters - a space optimization that packs the tail of compressed data inline within the same block as the compressed index metadata. The fix reorders operations so inline data is read before pclusters are allocated and added to the I/O decompression chain. Classified as CWE-125 (Out-of-bounds Read), though the concrete manifestation in the trace is a NULL pointer dereference (x0/x1 = 0) inside z_erofs_decompress_queue, reached via the read_folio → filemap → vfs_read path. The crash was observed on arm64 and through an overlayfs (ovl_read_iter) backing-file read.

RemediationAI

Vendor-released patch: update to a fixed stable kernel - 6.12.78, 6.18.14, 6.19.4, or 7.0 (or your distribution's backport carrying stable commits 5de1aa0bf3a5 / 92088bd9aa2a / ad07ea069f92 / c134a40f86ef). The fix simply reads inline data before allocating and chaining the pclusters, so it has no functional trade-off. Where immediate patching is not possible, reduce exposure by restricting which users can mount or read untrusted EROFS images and avoid mounting attacker-supplied EROFS/overlay backing images; on systems that do not need it, EROFS can be left unconfigured/unloaded (side effect: breaks any workload depending on EROFS, including some Android/container image formats). Track fixes via https://git.kernel.org/stable/c/c134a40f86efb8d6b5a949ef70e06d5752209be5 and the NVD entry https://nvd.nist.gov/vuln/detail/CVE-2026-45943.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32227 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy