HIGH
erofs DirEntry OOB
CVE-2026-46078
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
02KernelScan AI Analysis
Risk summary
Systems mounting untrusted EROFS filesystems are at risk of kernel crashes and potential information disclosure. An attacker with the ability to supply a crafted EROFS filesystem image can trigger out-of-bounds memory reads during directory operations. The unbounded strnlen() reads past the directory block, leaking kernel memory contents before hitting unmapped pages and causing a kernel panic.
Vulnerability analysis
The vulnerability occurs in EROFS directory entry processing where trailing directory entries use strnlen() with unchecked nameoff values. When nameoff >= maxsize, the calculation maxsize - nameoff underflows, causing strnlen() to read beyond the directory block boundary with an effectively unbounded length. The fix adds proper bounds checking for nameoff values and validates that nameoff0 is properly aligned to sizeof(struct erofs_dirent). This prevents both the integer underflow and subsequent out-of-bounds read by ensuring all nameoff values are within valid ranges before use.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.175 | 80a23c6d1aba |
| 6.12 | 6.12.86 | 48b27a955d22 |
| 6.18 | 6.18.27 | 8ebb951a284b |
| 6.6 | 6.6.140 | 222055e6b406 |
| 7.0 | 7.0.4 | 1d55445226c7 |
| mainline | 7.1-rc1 | d18a3b5d337f |