CVE-2026-45999 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, and security teams managing systems that may mount untrusted or external EROFS filesystem images. Organizations using container or embedded Linux deployments with EROFS support should prioritize patching.

Technical summary

The EROFS filesystem driver in the Linux kernel contains an unsigned integer underflow vulnerability in the LZ4 decompression handler. When processing crafted filesystem images with malformed extent headers (specifically `!partial_decoding && m_llen < m_plen`), the code incorrectly enters an inplace decompression path that cannot handle cases where output pages are fewer than input pages. The subtraction `outpages - inpages` underflows to a large value, causing subsequent array accesses to read beyond allocated memory. The fix adds proper validation to prevent reaching this vulnerable code path with illegal extent parameters.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable tree commits when available from your Linux distribution
• Restrict mounting of untrusted EROFS filesystem images
• Consider disabling EROFS support if not required in your environment
• Monitor for kernel security advisories from your distribution regarding this CVE

Evidence notes

The vulnerability description indicates that crafted EROFS images with illegal extent parameters can trigger the vulnerable code path. A reproducible test image was provided in the original disclosure (base64-encoded gzipped blob). The fix adds validation to prevent the inplace decompression path from being taken when `outpages < inpages` would occur.

Official resources