CVE-2026-46078: erofs: fix the out-of-bounds nameoff handling for trailing dirents
In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
HarborGuard Analysis
HarborGuard analysisSynopsis
An out-of-bounds read vulnerability exists in the Linux kernel's EROFS filesystem driver, specifically in how it handles nameoff values for trailing directory entries. The flaw is reached locally and requires a user to interact with a crafted EROFS image, meaning no network access is needed but victim interaction is required. Successful exploitation allows an attacker to read memory past the directory block boundary, disclosing sensitive kernel memory contents, and can also disrupt service availability. A patched-image rebuild at the fix versions is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream kernel security feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel or kernel module. Any image whose kernel version falls within the affected range is flagged automatically.
AvailableHarborGuard scores this CVE at 7.1 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at the fix versions (including kernel commit 1d55445226c75ddd4e78b09b3e7d99109b28c366, 222055e6b4063abd2d9e13c3d49bbd1724c50789, 48b27a955d22391c7f30169fa7b6b2e1977f1ce4, and the 6.6.140 stable release) is available on HarborGuard for environments running an affected kernel version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
- AuthenticationNot required
No account or credentials are required to trigger the vulnerability; any unprivileged user who can mount or access the crafted EROFS image can exploit it.
- Victim interactionRequired
A user must interact with a crafted EROFS filesystem image, for example by mounting or browsing it, making this a social-engineering vector.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout randomization, or other environmental factors once the crafted image is in place.
Blast Radius
- Reads kernel memory past the directory block boundary, which may expose sensitive in-memory data such as kernel heap contents, stack values, or data belonging to other processes.
- Causes an out-of-bounds memory read that can trigger a kernel panic or BUG, crashing the affected system or container and disrupting all workloads running on that host.
How HarborGuard Handles This
Available on HarborGuard: detection runs continuously against all registered customer images, flagging any image whose kernel version falls within the affected range (kernels from commit 3aa8ec716e52c02360457fa018296629b4d0becf up to the fix commits, and the 4.19 stable line). Where compliance policy permits, a rebuilt image pinned to a patched kernel version becomes available immediately upon fix publication; for customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workload definitions. Median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Customers who cannot immediately rebuild are advised to restrict access to EROFS image mounting via Linux security module policies or namespace controls, and to avoid exposing untrusted filesystem images to unprivileged users while the patch is pending deployment.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
Fix available
- Linux / Linux< 222055e6b4063abd2d9e13c3d49bbd1724c50789 (from 3aa8ec716e52c02360457fa018296629b4d0becf) · < 48b27a955d22391c7f30169fa7b6b2e1977f1ce4 (from 3aa8ec716e52c02360457fa018296629b4d0becf) · < 8ebb951a284b7446e025afc7dc5e9516ef9a7214 (from 3aa8ec716e52c02360457fa018296629b4d0becf) · < 1d55445226c75ddd4e78b09b3e7d99109b28c366 (from 3aa8ec716e52c02360457fa018296629b4d0becf) · < d18a3b5d337fa412a38e776e6b4b857a58836575 (from 3aa8ec716e52c02360457fa018296629b4d0becf)
- Linux / Linux4.19Fixed in 0, 6.6.140, 6.12.86, 6.18.27, 7.0.4, 7.1-rc1
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H