CVE-2026-43166 Overview
CVE-2026-43166 is an out-of-bounds read vulnerability in the Linux kernel's erofs (Enhanced Read-Only File System) implementation. The flaw resides in the handling of encoded extents, specifically in the misclassification of plain data as interlaced plain extents when alignment requirements are not met. A crafted compressed image containing plain extents with unaligned physical lengths triggers an out-of-bounds read in z_erofs_transform_plain(). The issue was discovered by syzbot through fuzzing.
Critical Impact
Mounting or processing a malicious erofs image can trigger a kernel out-of-bounds read, potentially leading to information disclosure or kernel instability.
Affected Products
- Linux kernel versions containing the erofs encoded extent handling code prior to the fix
- Distributions shipping vulnerable stable kernel branches
- Systems mounting untrusted erofs images
Discovery Timeline
- 2026-05-06 - CVE-2026-43166 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43166
Vulnerability Analysis
The vulnerability exists in the erofs filesystem code that processes encoded extents. The erofs driver classifies extents into different layouts including plain, compressed, and interlaced plain. Interlaced plain extents have specific alignment requirements: both the start position and on-disk physical length must be aligned to the filesystem block size. The defective logic incorrectly classified plain extents with unaligned physical lengths as interlaced plain extents instead of treating them as shifted plain extents. This misclassification caused z_erofs_transform_plain() to read past the intended buffer boundary during decompression. Syzbot identified the issue using a crafted compressed image, demonstrating that an attacker controlling the on-disk image content can reliably trigger the out-of-bounds read.
Root Cause
The root cause is missing alignment validation in the extent classification logic. The code path treated any plain extent within an encoded layout as interlaced without verifying that both start position and on-disk physical length were block-aligned. This violates an implicit invariant in z_erofs_transform_plain(), which assumes interlaced plain extents are always aligned [CWE-125].
Attack Vector
An attacker crafts a malicious erofs image with encoded extents containing plain data whose physical length is not aligned to the filesystem block size. When the kernel mounts or reads from this image, the erofs decoder calls z_erofs_transform_plain() and reads beyond the allocated buffer. Exploitation requires the ability to mount or otherwise have the kernel parse a controlled erofs image, which may occur through removable media, container images, or unprivileged mount interfaces depending on system configuration.
No verified exploit code is publicly available. See the Linux kernel commit fix for the patch implementing the corrected classification logic.
Detection Methods for CVE-2026-43166
Indicators of Compromise
- Kernel log entries referencing z_erofs_transform_plain faults, KASAN out-of-bounds read reports, or oops messages tied to the erofs subsystem
- Unexpected mount activity involving erofs images from untrusted sources such as removable media or downloaded container layers
- Process crashes or kernel panics correlated with erofs decompression operations
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) on test or staging kernels to surface out-of-bounds reads in erofs handling
- Audit kernel version inventories against the patched commits referenced in upstream stable trees
- Inspect mount events for erofs filesystems originating outside trusted provisioning workflows
Monitoring Recommendations
- Collect and centralize dmesg and /var/log/kern.log output to identify erofs-related faults across the fleet
- Alert on mount syscalls specifying the erofs filesystem type from non-administrative contexts
- Track package versions of the running kernel and flag hosts that have not received the upstream fix
How to Mitigate CVE-2026-43166
Immediate Actions Required
- Apply the upstream stable kernel patches that correct the interlaced plain extent classification in erofs
- Restrict the ability of unprivileged users and containers to mount erofs images from untrusted sources
- Verify the integrity and provenance of any erofs images used for system images, containers, or removable media
Patch Information
The fix is available in the upstream Linux stable tree across multiple branches. Reference commits include 4a2d046e4b13, 9d5a97bc71ed, and d3790f26d386. The patch ensures that only plain data with both block-aligned start position and on-disk physical length is classified as interlaced plain; otherwise the data is treated as shifted plain extents.
Workarounds
- Disable the erofs kernel module on systems that do not require it using modprobe -r erofs and blacklisting the module
- Block unprivileged user namespaces or restrict mount capabilities where untrusted images could be processed
- Validate erofs images with trusted tooling before mounting on production hosts
# Configuration example - blacklist erofs module on systems that do not require it
echo 'blacklist erofs' | sudo tee /etc/modprobe.d/blacklist-erofs.conf
sudo modprobe -r erofs 2>/dev/null || true
# Verify the module is not loaded
lsmod | grep erofs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
