CVE-2026-45943
Awaiting Analysis Awaiting Analysis - Queue
NULL Pointer Dereference in Linux Kernel EROFS

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: erofs: fix inline data read failure for ztailpacking pclusters Compressed folios for ztailpacking pclusters must be valid before adding these pclusters to I/O chains. Otherwise, z_erofs_decompress_pcluster() may assume they are already valid and then trigger a NULL pointer dereference. It is somewhat hard to reproduce because the inline data is in the same block as the tail of the compressed indexes, which are usually read just before. However, it may still happen if a fatal signal arrives while read_mapping_folio() is running, as shown below: erofs: (device dm-1): z_erofs_pcluster_begin: failed to get inline data -4 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 ... pc : z_erofs_decompress_queue+0x4c8/0xa14 lr : z_erofs_decompress_queue+0x160/0xa14 sp : ffffffc08b3eb3a0 x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000 x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001 x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700 x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098 x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004 x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9 x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: z_erofs_decompress_queue+0x4c8/0xa14 z_erofs_runqueue+0x908/0x97c z_erofs_read_folio+0x128/0x228 filemap_read_folio+0x68/0x128 filemap_get_pages+0x44c/0x8b4 filemap_read+0x12c/0x5b8 generic_file_read_iter+0x4c/0x15c do_iter_readv_writev+0x188/0x1e0 vfs_iter_read+0xac/0x1a4 backing_file_read_iter+0x170/0x34c ovl_read_iter+0xf0/0x140 vfs_read+0x28c/0x344 ksys_read+0x80/0xf0 __arm64_sys_read+0x24/0x34 invoke_syscall+0x60/0x114 el0_svc_common+0x88/0xe4 do_el0_svc+0x24/0x30 el0_svc+0x40/0xa8 el0t_64_sync_handler+0x70/0xbc el0t_64_sync+0x1bc/0x1c0 Fix this by reading the inline data before allocating and adding the pclusters to the I/O chains.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45943
EUVD
EUVD-2026-32227
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux_kernel erofs *
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's erofs filesystem implementation. It involves a failure to properly validate compressed folios for ztailpacking pclusters before adding them to I/O chains. If these pclusters are not validated, the function z_erofs_decompress_pcluster() may incorrectly assume they are valid, leading to a NULL pointer dereference.

The issue is somewhat difficult to reproduce because the inline data and the tail of the compressed indexes are usually read together just before the error occurs. However, the vulnerability can be triggered if a fatal signal arrives while the read_mapping_folio() function is running, causing the kernel to attempt to access invalid memory.

The fix involves reading the inline data before allocating and adding the pclusters to the I/O chains, preventing the NULL pointer dereference.

Impact Analysis

This vulnerability can cause a kernel NULL pointer dereference, which typically results in a kernel crash or system instability. Such a crash can lead to denial of service (DoS) conditions where the affected system becomes unresponsive or requires a reboot.

Because the issue occurs during file system read operations, it may disrupt normal system operations, potentially causing data access interruptions or loss of availability for services relying on the affected Linux kernel.

Detection Guidance

This vulnerability relates to a NULL pointer dereference in the Linux kernel's erofs filesystem when handling inline data for ztailpacking pclusters. Detection would involve monitoring kernel logs for specific error messages indicating this issue.

  • Check kernel logs for messages like: "z_erofs_pcluster_begin: failed to get inline data -4" or "Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008".
  • Use the command: dmesg | grep -i 'z_erofs_pcluster_begin' to find related errors in the kernel ring buffer.
  • Alternatively, check system logs with: journalctl -k | grep -i 'z_erofs_decompress_queue' to identify kernel stack traces related to this vulnerability.
Mitigation Strategies

The vulnerability is fixed by ensuring the inline data is read before allocating and adding pclusters to the I/O chains in the erofs filesystem code.

Immediate mitigation steps include updating the Linux kernel to a version that contains the fix for this vulnerability.

  • Apply the latest kernel patches or upgrade to a kernel version released after 2026-05-27 that includes the fix.
  • Avoid using the erofs filesystem with ztailpacking pclusters on affected kernel versions until patched.
  • Monitor kernel logs for signs of the issue and consider restricting access to affected systems to reduce risk.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart