CVE-2026-31514: Linux Kernel EROFS Short Read Vulnerability

CVE-2026-31514 Overview

CVE-2026-31514 is a medium-severity vulnerability in the Linux kernel's EROFS (Enhanced Read-Only File System) implementation. The flaw resides in the file-backed mount path, where vfs_iocb_iter_read() handles I/O requests on behalf of the read-ahead routine erofs_fileio_readahead(). When the read is interrupted by a SIGKILL signal, the function returns the number of bytes actually copied, leaving unused folios in the bio incorrectly marked as uptodate. This results in data integrity issues and potential kernel state corruption affecting availability on file-backed EROFS mounts. The vulnerability requires local access with low privileges and no user interaction.

Critical Impact

A local user can trigger inconsistent kernel page cache state on EROFS file-backed mounts through SIGKILL-interrupted reads, leading to high availability impact.

Affected Products

• Linux Kernel (mainline) with EROFS file-backed mount support
• Linux Kernel stable branches prior to commits 5a5f23ef, 5cf3972c, d1ba7d6b, and eade5404
• Distributions packaging affected kernel versions with EROFS enabled

Discovery Timeline

• 2026-04-22 - CVE-2026-31514 published to NVD
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-31514

Vulnerability Analysis

The vulnerability affects the EROFS file-backed mount read path in the Linux kernel. EROFS uses vfs_iocb_iter_read() to service read I/O against a backing file rather than a block device. This call chain is reachable through vfs_read → filemap_read → filemap_get_pages → filemap_readahead → erofs_fileio_readahead → erofs_fileio_rq_submit.

When the underlying filemap_read inside vfs_iocb_iter_read() detects a pending SIGKILL, it aborts and returns the partial byte count already copied. The completion handler erofs_fileio_ki_complete does not differentiate between full success and a short read. It marks every folio attached to the bio as uptodate, including folios that were never populated with valid data.

Subsequent reads of the affected pages from the page cache return stale or zeroed contents that the kernel believes are valid. This breaks read-only file system integrity guarantees and can cause processes consuming the data to behave incorrectly or crash. The vulnerability is classified under [CWE-noinfo] pending further analysis.

Root Cause

The root cause is missing error propagation in erofs_fileio_ki_complete for short read completions. The completion path assumes that a non-error return from vfs_iocb_iter_read() implies all requested folios were fully populated. SIGKILL-induced short reads violate this assumption, but the bio is still completed as if successful. The fix sets the short read bio with an error directly, preventing unused folios from being marked uptodate.

Attack Vector

Exploitation requires local access on a system that has mounted an EROFS image using file-backed mount. An unprivileged local user issues read requests against the EROFS mount and arranges for SIGKILL delivery during the read-ahead window. The race between the signal and bio completion causes the kernel to cache invalid folio contents. The attack vector is local with low attack complexity and no user interaction required, but the impact is limited to availability of processes relying on the affected mount.

The vulnerability is described in prose only — no public proof-of-concept code is available. Refer to the upstream kernel commits for the canonical fix and technical details.

Detection Methods for CVE-2026-31514

Indicators of Compromise

• Kernel log entries referencing EROFS read errors, folio inconsistencies, or unexpected page cache states on file-backed EROFS mounts
• Application crashes or checksum mismatches when reading files from EROFS mounts after processes receive SIGKILL
• Repeated SIGKILL signals delivered to processes performing reads on EROFS-mounted content

Detection Strategies

• Inventory all hosts running Linux kernels with EROFS file-backed mount enabled and compare installed versions against the patched commits
• Audit kernel build configurations for CONFIG_EROFS_FS and file-backed mount support to scope exposure
• Correlate dmesg output with process termination events to identify suspicious SIGKILL patterns targeting EROFS readers

Monitoring Recommendations

• Enable kernel audit rules for unusual signal delivery to user processes accessing EROFS file-backed mounts
• Monitor /proc/mounts for EROFS file-backed mounts on production systems and alert on unexpected additions
• Track kernel package versions across the fleet and flag systems running unpatched builds

How to Mitigate CVE-2026-31514

Immediate Actions Required

• Identify systems running affected Linux kernel versions with EROFS file-backed mount in use
• Apply the upstream kernel patches referenced by commits 5a5f23ef, 5cf3972c, d1ba7d6b, and eade5404 via vendor-supplied stable kernel updates
• Restrict local shell access on systems mounting untrusted EROFS images until patches are deployed

Patch Information

The fix is committed upstream and backported to stable kernel branches. Apply vendor kernel updates that include one of the following commits: Kernel Git Commit 5a5f23ef, Kernel Git Commit 5cf3972c, Kernel Git Commit d1ba7d6b, and Kernel Git Commit eade5404. The patch modifies erofs_fileio_ki_complete to set the bio status to error when a short read occurs.

Workarounds

• Avoid using EROFS file-backed mounts on multi-user systems until the patched kernel is deployed
• Use block-device-backed EROFS mounts rather than file-backed mounts where feasible
• Limit local user access and constrain the ability to send SIGKILL to processes reading EROFS content