{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45999","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-05-13T15:03:33.091Z","datePublished":"2026-05-27T12:55:53.846Z","dateUpdated":"2026-06-19T11:58:54.176Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-06-19T11:58:54.176Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()\n\nSome crafted images can have illegal (!partial_decoding &&\nm_llen < m_plen) extents, and the LZ4 inplace decompression path\ncan be wrongly hit, but it cannot handle (outpages < inpages)\nproperly: \"outpages - inpages\" wraps to a large value and\nthe subsequent rq->out[] access reads past the decompressed_pages\narray.\n\nHowever, such crafted cases can correctly result in a corruption\nreport in the normal LZ4 non-inplace path.\n\nLet's add an additional check to fix this for backporting.\n\nReproducible image (base64-encoded gzipped blob):\n\nH4sIAJGR12kCA+3SPUoDQRgG4MkmkkZk8QRbRFIIi9hbpEjrHQI5ghfwCN5BLCzTGtLbBI+g\ndilSJo1CnIm7GEXFxhT6PDDwfrs73/ywIQD/1ePD4r7Ou6ETsrq4mu7XcWfj++Pb58nJU/9i\nPNtbjhan04/9GtX4qVYc814WDqt6FaX5s+ZwXXeq52lndT6IuVvlblytLMvh4Gzwaf90nsvz\n2DF/21+20T/ldgp5s1jXRaN4t/8izsy/OUB6e/Qa79r+JwAAAAAAAL52vQVuGQAAAP6+my1w\nywAAAAAAAADwu14ATsEYtgBQAAA=\n\n$ mount -t erofs -o cache_strategy=disabled foo.erofs /mnt\n$ dd if=/mnt/data of=/dev/null bs=4096 count=1"}],"metrics":[{"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH"}}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/erofs/decompressor.c"],"versions":[{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"778acd52e9497806fbd2cea7f770c41d6850fc48","status":"affected","versionType":"git"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"118ff71ff09ebaf323a09af9e911517321a299f4","status":"affected","versionType":"git"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"43a878639b90e9721ffa5eb616a7e6d8454adef3","status":"affected","versionType":"git"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"f1374fa6e57fd836623668d782ded9244cfd2938","status":"affected","versionType":"git"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"c9ce18e6bb2c467ec85756dc7989b547b7584fee","status":"affected","versionType":"git"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e","status":"affected","versionType":"git"},{"version":"598162d050801e556750defff4ddab499e5d76ed","lessThan":"21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/erofs/decompressor.c"],"versions":[{"version":"5.13","status":"affected"},{"version":"0","lessThan":"5.13","status":"unaffected","versionType":"semver"},{"version":"5.15.210","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.176","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.140","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.88","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.30","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"7.0.4","lessThanOrEqual":"7.0.*","status":"unaffected","versionType":"semver"},{"version":"7.1","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"5.15.210"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.1.176"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.6.140"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.12.88"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"6.18.30"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"7.0.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.13","versionEndExcluding":"7.1"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/778acd52e9497806fbd2cea7f770c41d6850fc48"},{"url":"https://git.kernel.org/stable/c/118ff71ff09ebaf323a09af9e911517321a299f4"},{"url":"https://git.kernel.org/stable/c/43a878639b90e9721ffa5eb616a7e6d8454adef3"},{"url":"https://git.kernel.org/stable/c/f1374fa6e57fd836623668d782ded9244cfd2938"},{"url":"https://git.kernel.org/stable/c/c9ce18e6bb2c467ec85756dc7989b547b7584fee"},{"url":"https://git.kernel.org/stable/c/bbbbb3f0d7864238a8da2a94cd6ec013fee06a2e"},{"url":"https://git.kernel.org/stable/c/21e161de2dc660b1bb70ef5b156ab8e6e1cca3ab"}],"title":"erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()","x_generator":{"engine":"bippy-1.2.0"}}}}