CVE-2026-46078
HIGHerofs: fix the out-of-bounds nameoff handling for trailing dirents
Title source: cnaDescription
In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
References (8)
Core 8
Core References
Scores
CVSS v3
7.1
EPSS
0.0013
EPSS Percentile
3.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (27)
linux/Kernel
4.19.0 - 5.10.259linux
linux/Kernel
5.11.0 - 5.15.210linux
linux/Kernel
5.16.0 - 6.1.175linux
linux/Kernel
6.13.0 - 6.18.27linux
linux/Kernel
6.19.0 - 7.0.4linux
linux/Kernel
6.2.0 - 6.6.140linux
linux/Kernel
6.7.0 - 6.12.86linux
Linux/Linux
< 4.19
Linux/Linux
3aa8ec716e52c02360457fa018296629b4d0becf - 1d55445226c75ddd4e78b09b3e7d99109b28c366
Linux/Linux
3aa8ec716e52c02360457fa018296629b4d0becf - 222055e6b4063abd2d9e13c3d49bbd1724c50789
... and 17 more
Published
May 27, 2026
Tracked Since
May 27, 2026