CVE-2026-31514

Vulnerability

Description

In the Linux kernel's erofs filesystem, when using a file-backed mount, I/O requests are handled by vfs_iocb_iter_read(). This function can be interrupted by a SIGKILL signal, causing it to return fewer bytes than requested (a short read). The completion handler erofs_fileio_ki_complete then marks all folios in the bio as uptodate, even those that were not actually read. This results in unused folios being incorrectly marked as up-to-date, which is the root cause of the vulnerability [1][2][3][4].

Exploitation

Conditions

Exploitation requires local access to the system and the ability to send a SIGKILL signal to a process that is performing I/O on an erofs file-backed mount. The attacker must be able to trigger the signal at the precise moment when the I/O is in progress. No special authentication is needed beyond standard local user privileges. The attack surface is limited to scenarios where the attacker can influence the timing of signal delivery.

Impact

If successfully exploited, the incorrect marking of folios as uptodate can lead to reading uninitialized or stale data from the filesystem. This could result in information disclosure or data corruption, depending on how the affected folios are used. The CVSS v3 score of 5.5 (Medium) reflects the moderate severity, as the vulnerability requires local access and specific conditions to be triggered.

Mitigation

The fix has been applied in the Linux kernel stable tree via commits [1][2][3][4]. Users are advised to update their kernels to versions that include these patches. No workaround is documented; updating the kernel is the recommended mitigation.