HIGH
erofs ExtentMap OOB
CVE-2026-43166
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: erofs: fix interlaced plain identification for encoded extents Only plain data whose start position and on-disk physical length are both aligned to the block size should be classified as interlaced plain extents. Otherwise, it must be treated as shifted plain extents. This issue was found by syzbot using a crafted compressed image containing plain extents with unaligned physical lengths, which can cause OOB read in z_erofs_transform_plain().
02KernelScan AI Analysis
Risk summary
Local users with filesystem mount privileges can trigger an out-of-bounds read by mounting a crafted EROFS compressed image. This can lead to kernel information disclosure but does not allow privilege escalation or system compromise.
Vulnerability analysis
The vulnerability occurs in EROFS extent mapping logic where plain data extents with unaligned physical lengths are incorrectly classified as interlaced plain extents instead of shifted plain extents. The root cause is insufficient alignment validation - the code only checked if the physical address was block-aligned but failed to verify that both the physical address AND physical length were aligned. This misclassification causes z_erofs_transform_plain() to perform out-of-bounds reads when processing the extent data. The fix adds proper validation by checking both map->m_pa and map->m_plen against the block mask before classifying as interlaced format. Attack surface is local-only, requiring ability to mount filesystems (typically CAP_SYS_ADMIN or equivalent mount privileges).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.16 | 9d5a97bc71ed |
| 6.19 | 6.19.6 | d3790f26d386 |
| mainline | 7.0 | 4a2d046e4b13 |