CVE-2026-45999
Analyzed Analyzed - Analysis Complete
erofs LZ4 Decompression Underflow Vulnerability

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() Some crafted images can have illegal (!partial_decoding && m_llen < m_plen) extents, and the LZ4 inplace decompression path can be wrongly hit, but it cannot handle (outpages < inpages) properly: "outpages - inpages" wraps to a large value and the subsequent rq->out[] access reads past the decompressed_pages array. However, such crafted cases can correctly result in a corruption report in the normal LZ4 non-inplace path. Let's add an additional check to fix this for backporting. Reproducible image (base64-encoded gzipped blob): H4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g dilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i PNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz 2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w ywAAAAAAAADwu14ATsEYtgBQAAA= $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt $ dd if=/mnt/data of=/dev/null bs=4096 count=1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45999
EUVD
EUVD-2026-32295
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.30 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.88 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
linux linux_kernel From 5.13 (inc) to 6.6.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's erofs filesystem, specifically in the function z_erofs_lz4_handle_overlap(). It involves an unsigned underflow error triggered by crafted images with illegal extents where certain conditions cause the LZ4 inplace decompression path to be incorrectly used.

When this happens, the calculation "outpages - inpages" wraps around to a large value due to the underflow, leading to an out-of-bounds read past the decompressed_pages array. This can cause memory corruption or unexpected behavior during decompression.

The vulnerability is mitigated in the normal LZ4 non-inplace decompression path, which correctly reports corruption for such crafted cases. The fix adds an additional check to prevent this underflow and out-of-bounds access.

Impact Analysis

This vulnerability can lead to memory corruption due to out-of-bounds reads during decompression of specially crafted erofs images. Such corruption could potentially cause system instability, crashes, or unexpected behavior in the Linux kernel.

While the exact impact depends on how the erofs filesystem is used and whether untrusted images are mounted, exploitation could allow attackers to disrupt system operations or possibly escalate privileges if combined with other vulnerabilities.

Detection Guidance

This vulnerability relates to the erofs filesystem in the Linux kernel and involves crafted images that cause an unsigned underflow in the LZ4 inplace decompression path.

To detect this vulnerability on your system, you can attempt to mount a crafted erofs image and observe its behavior.

The following commands are suggested to test for the vulnerability:

  • $ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt
  • $ dd if=/mnt/data of=/dev/null bs=4096 count=1

If the system is vulnerable, the crafted image may trigger the unsigned underflow and cause improper memory access or corruption.

Mitigation Strategies

The vulnerability has been fixed by adding an additional check in the erofs filesystem code to prevent the unsigned underflow in the LZ4 inplace decompression path.

Immediate mitigation steps include:

  • Update your Linux kernel to a version that includes the fix for this vulnerability.
  • Avoid mounting untrusted or crafted erofs images until the fix is applied.
  • Monitor for any unusual behavior or corruption when using erofs filesystems.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45999. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart