{"id":"CVE-2026-45999","summary":"erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()\n\nSome crafted images can have illegal (!partial_decoding &&\nm_llen \u003c m_plen) extents, and the LZ4 inplace decompression path\ncan be wrongly hit, but it cannot handle (outpages \u003c inpages)\nproperly: \"outpages - inpages\" wraps to a large value and\nthe subsequent rq-\u003eout[] access reads past the decompressed_pages\narray.\n\nHowever, such crafted cases can correctly result in a corruption\nreport in the normal LZ4 non-inplace path.\n\nLet's add an additional check to fix this for backporting.\n\nReproducible image (base64-encoded gzipped blob):\n\nH4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g\ndilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i\nPNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz\n2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w\nywAAAAAAAADwu14ATsEYtgBQAAA=\n\n$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt\n$ dd if=/mnt/data of=/dev/null bs=4096 count=1","modified":"2026-06-23T03:55:06.491433478Z","published":"2026-05-27T12:55:53.846Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45999.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/118ff71ff09ebaf323a09af9e911517321a299f4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab"},{"type":"WEB","url":"https://git.kernel.org/stable/c/43a878639b90e9721ffa5eb616a7e6d8454adef3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/778acd52e9497806fbd2cea7f770c41d6850fc48"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c9ce18e6bb2c467ec85756dc7989b547b7584fee"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f1374fa6e57fd836623668d782ded9244cfd2938"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45999.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45999"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"598162d050801e556750defff4ddab499e5d76ed"},{"fixed":"778acd52e9497806fbd2cea7f770c41d6850fc48"},{"fixed":"118ff71ff09ebaf323a09af9e911517321a299f4"},{"fixed":"43a878639b90e9721ffa5eb616a7e6d8454adef3"},{"fixed":"f1374fa6e57fd836623668d782ded9244cfd2938"},{"fixed":"c9ce18e6bb2c467ec85756dc7989b547b7584fee"},{"fixed":"bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e"},{"fixed":"21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45999.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.13.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.176"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.88"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.30"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45999.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"}]}