In the Linux kernel, the following vulnerability has been resolved: erofs: fix the out-of-bounds nameoff handling for trailing dirents Currently we already have boundary-checks for nameoffs, but the trailing dirents are special since the namelens are calculated with strnlen() with unchecked nameoffs. If a crafted EROFS has a trailing dirent with nameoff >= maxsize, maxsize - nameoff can underflow, causing strnlen() to read past the directory block. nameoff0 should also be verified to be a multiple of `sizeof(struct erofs_dirent)` as well [1]. [1] https://sashiko.dev/#/patchset/20260416063511.3173774-1-hsiangkao%40linux.alibaba.com
| Version | Score | Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.1 | High | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |
| Product | Vendor | Version |
|---|---|---|
| Linux | Linux | < 10.0.10240.19086 |
| Linux | Linux | < 10.0.14393.4704 |
| Linux | Linux | Firmware versions "05" and prior |
| Linux | Linux | unspecified |