CVE-2026-43154 Overview
CVE-2026-43154 is a Linux kernel vulnerability in the Enhanced Read-Only File System (EROFS) driver. The flaw resides in the volume label handling code path, where crafted EROFS images containing valid volume labels can trigger incorrect early returns. These early exits skip required cleanup steps, resulting in folio reference leaks within the page cache subsystem.
The issue affects systems that mount untrusted EROFS images. According to the upstream commit message, the bug does not cause system crashes or other severe issues, limiting impact to resource leakage rather than memory corruption or privilege escalation.
Critical Impact
Crafted EROFS images can leak folio references during volume label parsing, gradually consuming kernel memory resources on systems that mount attacker-controlled images.
Affected Products
- Linux kernel versions containing the EROFS volume label handling code prior to the fix
- Distributions shipping vulnerable mainline and stable kernel branches
- Systems mounting untrusted or user-supplied EROFS images
Discovery Timeline
- 2026-05-06 - CVE-2026-43154 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43154
Vulnerability Analysis
EROFS is a read-only filesystem used in Android and embedded Linux systems for compressed, immutable storage. The kernel parses metadata from EROFS images at mount time, including the optional volume label field stored in the superblock.
The vulnerability exists in the volume label handling logic. When the parser encounters specific valid label content, the code follows an early-return path that bypasses the folio reference release step. Each affected mount or label read operation increments folio references without a matching folio_put() call.
Folios are the kernel's page cache management primitive that replaced compound pages. Leaked references prevent the underlying memory from being reclaimed, resulting in gradual kernel memory pressure on long-running systems that repeatedly process crafted EROFS images.
Root Cause
The root cause is a missing reference release on an early-exit branch in the EROFS volume label handler. The function acquires a folio reference to read label data from the page cache but returns early under certain conditions without releasing that reference. This is a resource management flaw rather than a memory safety violation.
Attack Vector
Exploitation requires the ability to supply a crafted EROFS image to a vulnerable kernel. The most realistic attack scenarios involve mounting untrusted images on multi-tenant systems, automated build pipelines, or container hosts that accept user-provided filesystem images. Repeated mounts amplify the leak.
The upstream maintainers explicitly note that the issue does not cause crashes or severe corruption. The practical outcome is degraded availability over time as kernel memory accumulates unreclaimed folio references.
The fix is published across three stable tree commits referenced in the Linux kernel git repository, stable backport commit, and additional stable backport.
Detection Methods for CVE-2026-43154
Indicators of Compromise
- Gradually increasing kernel memory consumption on hosts that mount EROFS images, observable through /proc/meminfo and /proc/slabinfo
- Repeated EROFS mount operations from untrusted sources in audit logs
- Unexplained reduction in available page cache memory without corresponding workload changes
Detection Strategies
- Monitor kernel version strings against the patched stable releases identified in the upstream commits
- Audit mount syscalls with filesystem type erofs to identify exposure to untrusted image sources
- Track folio and page cache statistics over time to identify slow leaks correlated with EROFS activity
Monitoring Recommendations
- Enable kernel auditing for mount(2) events targeting EROFS filesystems and forward events to centralized log analysis
- Establish baselines for kernel slab memory consumption and alert on sustained upward drift
- Review container and sandbox configurations to confirm whether tenants can supply EROFS images to the host kernel
How to Mitigate CVE-2026-43154
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced in the three stable tree commits as soon as distribution updates are available
- Restrict the ability of unprivileged users and containers to mount EROFS images from untrusted sources
- Inventory systems that mount EROFS images automatically and prioritize them for kernel updates
Patch Information
The fix is delivered through commits 3afa4da38802, 8d8a878ef608, and d498bd168494 in the Linux stable tree. The patches add the missing folio reference release on the previously vulnerable early-exit paths in the EROFS volume label handling code. Apply the kernel update provided by your Linux distribution that incorporates these stable backports.
Workarounds
- Disable the EROFS kernel module on systems that do not require EROFS support using modprobe -r erofs and a blacklist erofs entry in /etc/modprobe.d/
- Block unprivileged mount operations through user namespace and capability restrictions until patches are deployed
- Validate the source and integrity of EROFS images before mounting in automated pipelines
# Configuration example: prevent loading of the erofs module on unpatched hosts
echo "blacklist erofs" | sudo tee /etc/modprobe.d/blacklist-erofs.conf
sudo rmmod erofs 2>/dev/null || true
# Verify module is not loaded
lsmod | grep erofs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
