MEDIUM 5.5

CVE-2026-46329: Linux Kernel EROFS File-Backed Mount Boundary Handling Vulnerability

A flaw in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation fails to properly handle I/O requests that extend beyond the filesystem boundary when the filesystem is mounted from a file. Instead of safely zeroing out the requested data (as loopback devices and the kernel's expected behavior dictate), the kernel may access invalid memory or return uninitialized data. This can lead to a denial of service or potential information disclosure on systems using file-backed EROFS mounts.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: erofs: handle end of filesystem properly for file-backed mounts I/O requests beyond the end of the filesystem should be zeroed out, similar to loopback devices and that is what we expect.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46329 addresses a boundary condition in the Linux kernel's EROFS driver for file-backed mounts. When an I/O request targets logical blocks beyond the filesystem's end, the kernel should return zeroed pages—the standard behavior for block devices and loopback mounts. The vulnerability exists because EROFS does not properly implement this end-of-filesystem handling for file-backed configurations, potentially causing reads to access unmapped or uninitialized kernel memory regions. The flaw is reachable by unprivileged local users who can trigger I/O on a crafted or maliciously-sized EROFS image mounted via a backing file.

Business impact

Systems relying on EROFS for read-only filesystem workloads—particularly in containerized, embedded, or resource-constrained environments—face availability risk. A local attacker can trigger kernel panics or hangs by submitting I/O beyond the filesystem boundary, disrupting services that depend on the mount. Additionally, information disclosure is possible if uninitialized kernel memory is returned to userspace, potentially leaking sensitive data such as cryptographic material or authentication tokens. Organizations using EROFS in production should assess whether their deployment model exposes the filesystem to untrusted local users.

Affected systems

The Linux kernel is affected. EROFS is an optional filesystem driver present in mainstream Linux distributions and commonly used in mobile devices, IoT systems, and containerized environments. The vulnerability is specific to file-backed mounts (where the filesystem image is a regular file on another filesystem) rather than block device mounts. Systems must have EROFS compiled in, the driver enabled at runtime, and a file-backed EROFS mount active to be vulnerable. Standard block device-backed EROFS mounts are not affected.

Exploitability

Exploitation requires local access (unprivileged user account sufficient) and the ability to either create a mount point or issue I/O on an existing file-backed EROFS mount. The attack requires crafting an I/O request with parameters that exceed the filesystem size. The attack surface is moderate: it depends on system configuration and whether EROFS is deployed, but no network access, kernel memory corruption, or privilege escalation is necessary for the initial trigger. The CVSS score of 5.5 (MEDIUM) reflects the local-only attack vector and the high availability impact balanced against limited confidentiality risk.

Remediation

Apply the Linux kernel patch that implements proper end-of-filesystem handling for file-backed EROFS mounts, ensuring that I/O beyond the filesystem boundary is zeroed out consistently. Administrators should prioritize patching systems that use EROFS in production, particularly those where local user isolation is weak or where the filesystem is mounted from untrusted image files. Workarounds include disabling EROFS if not required, restricting mount operations to privileged users only, or migrating to a different filesystem driver.

Patch guidance

Verify the availability of the fix in your Linux kernel version and distribution. The patch resolves the boundary check by adding explicit handling to zero out pages for reads that extend beyond the filesystem end. Check your distribution's security advisories and kernel changelog for backport status to stable and long-term support branches. Kernel versions 6.1 and later should include this fix; verify against your vendor's advisory for earlier branches. Testing with a file-backed EROFS mount containing crafted image sizes is recommended to confirm the fix in your environment.

Detection guidance

Monitor kernel logs for EROFS-related errors, page faults, or unusual memory access patterns associated with file-backed mounts. System administrators can detect exploitation attempts by tracking failed or unusual I/O operations on EROFS-mounted filesystems and by profiling processes that trigger boundary-condition reads. Tools such as auditd can log mount operations and I/O syscalls; configure rules to flag attempts to mount untrusted EROFS images. No public exploit code is known, but a researcher or attacker could test the vulnerability by mounting a crafted EROFS image and submitting read requests beyond its boundary using standard I/O tools.

Why prioritize this

This vulnerability warrants medium-priority patching for environments using file-backed EROFS. The local-only attack vector and the requirement for EROFS deployment reduce urgency compared to remote vulnerabilities, but the high availability impact and potential information disclosure justify expedited patching for production systems. Organizations should prioritize patching if EROFS is in use and local user access is granted; general-purpose servers without EROFS can defer patching to routine maintenance cycles.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects: local attack vector (no remote exploitation), low privileges required (unprivileged user account sufficient), no user interaction required, and high availability impact (kernel crash or hang possible). The scope is unchanged, and confidentiality and integrity impacts are none to low. The score balances the ease of exploitation against the limited attack surface and the fact that EROFS is not universally deployed.

Frequently asked questions

Does this affect EROFS mounted from a block device?

No. The vulnerability is specific to file-backed mounts, where the EROFS image is a regular file on another filesystem. Block device-backed mounts handle end-of-filesystem conditions correctly and are not affected.

Can this vulnerability be exploited remotely?

No. Exploitation requires local access to the system and the ability to trigger I/O on a file-backed EROFS mount. Network access is not sufficient to exploit this flaw.

Is there a public exploit?

No public exploit or weaponized proof-of-concept is known. Exploitation requires manual crafting of I/O requests to a mounted EROFS image, which limits opportunistic exploitation.

Which Linux distributions are affected?

Any distribution shipping the Linux kernel with EROFS support compiled in and file-backed EROFS mounts in use is affected. Check your distribution's kernel configuration and patch status against the vendor advisory.

This analysis is provided for informational purposes and represents the current understanding of CVE-2026-46329 based on available source data. CVSS scores and severity assessments are derived from official CVE records. Patch availability, timeline, and distribution-specific backport status should be verified against your Linux distribution's security advisories and the Linux kernel upstream repository. Organizations should conduct their own risk assessment based on their specific use of EROFS and local user access policies. SEC.co does not provide legal or compliance advice; consult your organization's security and legal teams for remediation prioritization and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).