CVE-2026-45999
Description
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: "outpages - inpages" wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array.
However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path.
Let's add an additional check to fix this for backporting.
Reproducible image (base64-encoded gzipped blob):
H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA=
$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unsigned underflow in EROFS LZ4 decompression leads to out-of-bounds read; crafted images can trigger it.
Vulnerability
In the Linux kernel's EROFS filesystem, the function z_erofs_lz4_handle_overlap() contains an unsigned underflow vulnerability. When processing crafted images with illegal extents where !partial_decoding && m_llen < m_plen, the LZ4 in-place decompression path is incorrectly entered. In this path, if outpages < inpages, the subtraction outpages - inpages wraps to a large unsigned value, causing subsequent accesses to rq->out[] to read past the decompressed_pages array. This affects Linux kernel versions prior to the fix commit c9ce18e6bb2c [1].
Exploitation
An attacker must provide a specially crafted EROFS image that triggers the illegal extent condition. The image must be mounted with cache_strategy=disabled (as shown in the reproducible example). No special privileges are required beyond the ability to mount the filesystem and read a file (e.g., via dd). The attacker does not need local access if the image can be mounted from a removable device or network share.
Impact
Successful exploitation results in an out-of-bounds read from the decompressed_pages array, which can lead to information disclosure (kernel memory leak) or a system crash (denial of service). The read occurs in kernel context, so sensitive data may be exposed. The vulnerability does not directly provide write access or code execution, but information disclosure can aid further attacks.
Mitigation
The fix is included in Linux kernel commit c9ce18e6bb2c (stable tree) [1]. Users should update to a kernel version containing this commit or apply the backport. No workaround is available; the only mitigation is to avoid mounting untrusted EROFS images. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10c9ce18e6bb2cerofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 2f4cef67cf6403..e4e59a4e0d90df 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -142,6 +142,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 2f4cef67cf6403..e4e59a4e0d90df 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -142,6 +142,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
43a878639b90erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 86e088fd386ee5..18e4da98309d5c 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -133,6 +133,7 @@ static void *z_erofs_lz4_handle_overlap(struct z_erofs_lz4_decompress_ctx *ctx, if (rq->inplace_io) { omargin = PAGE_ALIGN(ctx->oend) - ctx->oend; if (rq->partial_decoding || !may_inplace || + ctx->outpages < ctx->inpages || omargin < LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) goto docopy; -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 86e088fd386ee5..18e4da98309d5c 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -133,6 +133,7 @@ static void *z_erofs_lz4_handle_overlap(struct z_erofs_lz4_decompress_ctx *ctx, if (rq->inplace_io) { omargin = PAGE_ALIGN(ctx->oend) - ctx->oend; if (rq->partial_decoding || !may_inplace || + ctx->outpages < ctx->inpages || omargin < LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) goto docopy; -- cgit 1.3-korg
bbbbb3f0d786erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 3c54e95964c9fb..2b065f8c3f711e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 3c54e95964c9fb..2b065f8c3f711e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
f1374fa6e57ferofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 7415949a80b32d..87009c4d2cf3a1 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -149,6 +149,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 7415949a80b32d..87009c4d2cf3a1 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -149,6 +149,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
21e161de2dc6erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 3c54e95964c9fb..2b065f8c3f711e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 3c54e95964c9fb..2b065f8c3f711e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
f1374fa6e57ferofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 7415949a80b32d..87009c4d2cf3a1 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -149,6 +149,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 7415949a80b32d..87009c4d2cf3a1 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -149,6 +149,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
c9ce18e6bb2cerofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 2f4cef67cf6403..e4e59a4e0d90df 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -142,6 +142,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 2f4cef67cf6403..e4e59a4e0d90df 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -142,6 +142,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
21e161de2dc6erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 3c54e95964c9fb..2b065f8c3f711e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 3c54e95964c9fb..2b065f8c3f711e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
bbbbb3f0d786erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 3c54e95964c9fb..2b065f8c3f711e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 3c54e95964c9fb..2b065f8c3f711e 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -145,6 +145,7 @@ static void *z_erofs_lz4_handle_overlap(const struct z_erofs_decompress_req *rq, oend = rq->pageofs_out + rq->outputsize; omargin = PAGE_ALIGN(oend) - oend; if (!rq->partial_decoding && may_inplace && + rq->outpages >= rq->inpages && omargin >= LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) { for (i = 0; i < rq->inpages; ++i) if (rq->out[rq->outpages - rq->inpages + i] != -- cgit 1.3-korg
43a878639b90erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()
2 files changed · +2 −2
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 86e088fd386ee5..18e4da98309d5c 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -133,6 +133,7 @@ static void *z_erofs_lz4_handle_overlap(struct z_erofs_lz4_decompress_ctx *ctx, if (rq->inplace_io) { omargin = PAGE_ALIGN(ctx->oend) - ctx->oend; if (rq->partial_decoding || !may_inplace || + ctx->outpages < ctx->inpages || omargin < LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) goto docopy; -- cgit 1.3-korg
fs/erofs/decompressor.c+1 −1 modifieddiff --git a/fs/erofs/decompressor.c b/fs/erofs/decompressor.c index 86e088fd386ee5..18e4da98309d5c 100644 --- a/fs/erofs/decompressor.c +++ b/fs/erofs/decompressor.c @@ -133,6 +133,7 @@ static void *z_erofs_lz4_handle_overlap(struct z_erofs_lz4_decompress_ctx *ctx, if (rq->inplace_io) { omargin = PAGE_ALIGN(ctx->oend) - ctx->oend; if (rq->partial_decoding || !may_inplace || + ctx->outpages < ctx->inpages || omargin < LZ4_DECOMPRESS_INPLACE_MARGIN(rq->inputsize)) goto docopy; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing bounds check on outpages vs inpages in the LZ4 inplace decompression path allows an unsigned underflow when a crafted EROFS image has illegal extents (m_llen < m_plen)."
Attack vector
An attacker mounts a crafted EROFS image containing illegal extents where m_llen < m_plen and partial_decoding is false. This causes the LZ4 inplace decompression path in `z_erofs_lz4_handle_overlap()` to be wrongly entered. Because `outpages < inpages`, the subtraction `outpages - inpages` wraps to a large unsigned value, and the subsequent `rq->out[]` array access reads past the `decompressed_pages` array [patch_id=2660558]. The attacker must be able to mount a malicious EROFS filesystem image and trigger a read (e.g., `dd if=/mnt/data of=/dev/null bs=4096 count=1`).
Affected code
The vulnerability is in `fs/erofs/decompressor.c` in the function `z_erofs_lz4_handle_overlap()`. The inplace decompression path lacked a check that `rq->outpages >= rq->inpages` before computing `rq->outpages - rq->inpages` as an array index [patch_id=2660558].
What the fix does
The patch adds a guard condition `rq->outpages >= rq->inpages` (or the inverted form `ctx->outpages < ctx->inpages` leading to `goto docopy`) before entering the inplace overlap loop [patch_id=2660558]. When `outpages < inpages`, the code now falls through to the non-inplace (copy-based) decompression path, which correctly handles the illegal extent and reports corruption. This prevents the unsigned underflow and out-of-bounds read.
Preconditions
- inputAttacker must be able to mount a crafted EROFS filesystem image
- inputAttacker must trigger a read on the crafted image (e.g., dd if=/mnt/data of=/dev/null bs=4096 count=1)
- inputThe crafted image must contain illegal extents where !partial_decoding && m_llen < m_plen
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/21e161de2dc660b1bb70ef5b156ab8e6e1cca3abnvd
- git.kernel.org/stable/c/43a878639b90e9721ffa5eb616a7e6d8454adef3nvd
- git.kernel.org/stable/c/bbbbb3f0d7864238a8da2a94cd6ec013fee06a2envd
- git.kernel.org/stable/c/c9ce18e6bb2c467ec85756dc7989b547b7584feenvd
- git.kernel.org/stable/c/f1374fa6e57fd836623668d782ded9244cfd2938nvd
News mentions
0No linked articles in our index yet.