CVE-2026-45943

Severity CVSS v4.0:
Pending analysis
Type:
CWE-125 Out-of-bounds Read
Publication date:
27/05/2026
Last modified:
24/06/2026

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> erofs: fix inline data read failure for ztailpacking pclusters<br /> <br /> Compressed folios for ztailpacking pclusters must be valid before adding<br /> these pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster()<br /> may assume they are already valid and then trigger a NULL pointer<br /> dereference.<br /> <br /> It is somewhat hard to reproduce because the inline data is in the same<br /> block as the tail of the compressed indexes, which are usually read just<br /> before. However, it may still happen if a fatal signal arrives while<br /> read_mapping_folio() is running, as shown below:<br /> <br /> erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4<br /> Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008<br /> <br /> ...<br /> <br /> pc : z_erofs_decompress_queue+0x4c8/0xa14<br /> lr : z_erofs_decompress_queue+0x160/0xa14<br /> sp : ffffffc08b3eb3a0<br /> x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000<br /> x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001<br /> x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700<br /> x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098<br /> x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004<br /> x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9<br /> x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000<br /> x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f<br /> x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020<br /> x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000<br /> Call trace:<br /> z_erofs_decompress_queue+0x4c8/0xa14<br /> z_erofs_runqueue+0x908/0x97c<br /> z_erofs_read_folio+0x128/0x228<br /> filemap_read_folio+0x68/0x128<br /> filemap_get_pages+0x44c/0x8b4<br /> filemap_read+0x12c/0x5b8<br /> generic_file_read_iter+0x4c/0x15c<br /> do_iter_readv_writev+0x188/0x1e0<br /> vfs_iter_read+0xac/0x1a4<br /> backing_file_read_iter+0x170/0x34c<br /> ovl_read_iter+0xf0/0x140<br /> vfs_read+0x28c/0x344<br /> ksys_read+0x80/0xf0<br /> __arm64_sys_read+0x24/0x34<br /> invoke_syscall+0x60/0x114<br /> el0_svc_common+0x88/0xe4<br /> do_el0_svc+0x24/0x30<br /> el0_svc+0x40/0xa8<br /> el0t_64_sync_handler+0x70/0xbc<br /> el0t_64_sync+0x1bc/0x1c0<br /> <br /> Fix this by reading the inline data before allocating and adding<br /> the pclusters to the I/O chains.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 5.17 (including) 6.12.78 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.18.14 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.19 (including) 6.19.4 (excluding)