{"id":"CVE-2026-46078","summary":"erofs: fix the out-of-bounds nameoff handling for trailing dirents","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix the out-of-bounds nameoff handling for trailing dirents\n\nCurrently we already have boundary-checks for nameoffs, but the trailing\ndirents are special since the namelens are calculated with strnlen()\nwith unchecked nameoffs.\n\nIf a crafted EROFS has a trailing dirent with nameoff \u003e= maxsize,\nmaxsize - nameoff can underflow, causing strnlen() to read past the\ndirectory block.\n\nnameoff0 should also be verified to be a multiple of\n`sizeof(struct erofs_dirent)` as well [1].\n\n[1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com","modified":"2026-06-26T11:56:56.748594351Z","published":"2026-05-27T12:58:11.916Z","related":["openSUSE-SU-2026:10954-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46078.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1d55445226c75ddd4e78b09b3e7d99109b28c366"},{"type":"WEB","url":"https://git.kernel.org/stable/c/222055e6b4063abd2d9e13c3d49bbd1724c50789"},{"type":"WEB","url":"https://git.kernel.org/stable/c/48b27a955d22391c7f30169fa7b6b2e1977f1ce4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/80a23c6d1aba35be8746d74ac14e6ba5ae46da21"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ebb951a284b7446e025afc7dc5e9516ef9a7214"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a8ee527807f7d97e55ce2ef2906f7f34975eb1c7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aa16dca1b062355181ef215229eeac249d7c0d61"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d18a3b5d337fa412a38e776e6b4b857a58836575"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46078.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46078"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3aa8ec716e52c02360457fa018296629b4d0becf"},{"fixed":"a8ee527807f7d97e55ce2ef2906f7f34975eb1c7"},{"fixed":"aa16dca1b062355181ef215229eeac249d7c0d61"},{"fixed":"80a23c6d1aba35be8746d74ac14e6ba5ae46da21"},{"fixed":"222055e6b4063abd2d9e13c3d49bbd1724c50789"},{"fixed":"48b27a955d22391c7f30169fa7b6b2e1977f1ce4"},{"fixed":"8ebb951a284b7446e025afc7dc5e9516ef9a7214"},{"fixed":"1d55445226c75ddd4e78b09b3e7d99109b28c366"},{"fixed":"d18a3b5d337fa412a38e776e6b4b857a58836575"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46078.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.19.0"},{"fixed":"5.10.259"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.175"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.140"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.86"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.27"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-46078.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"}]}