CVE-2026-46329 Overview
CVE-2026-46329 affects the Linux kernel's Enhanced Read-Only File System (erofs) implementation. The flaw involves improper handling of I/O requests that extend beyond the end of the filesystem when using file-backed mounts. The kernel fails to zero out these out-of-range I/O requests, diverging from the expected behavior seen in loopback devices. Maintainers resolved the issue across multiple stable kernel branches with commits 8d582d6, bc804a8, e49abde, and fe40390.
Critical Impact
I/O requests beyond the end of an erofs file-backed mount were not zeroed, which can lead to inconsistent reads or unintended data exposure for filesystem consumers relying on standard end-of-device semantics.
Affected Products
- Linux kernel — erofs subsystem with file-backed mount support
- Stable kernel branches referenced by upstream fix commits 8d582d6, bc804a8, e49abde, fe40390
- Distributions shipping vulnerable erofs implementations prior to backport
Discovery Timeline
- 2026-06-09 - CVE-2026-46329 published to NVD
- 2026-06-09 - Last updated in NVD database
Technical Details for CVE-2026-46329
Vulnerability Analysis
The erofs filesystem supports mounting from a backing file rather than a block device. In this mode, the subsystem must mediate I/O between the upper filesystem layer and the underlying file. When a read request targets an offset that extends past the file's actual end, the expected behavior, consistent with loopback block devices, is to return zero-filled buffers for the out-of-range portion.
The vulnerable code path does not implement this zeroing for file-backed mounts. As a result, I/O requests that cross the end-of-filesystem boundary are not handled with the same semantics as loopback-based mounts. This produces inconsistent return data and breaks an invariant that callers in the block and filesystem layers depend on.
The upstream fix corrects the boundary condition in the erofs file-backed I/O path. It ensures buffers covering ranges beyond the filesystem extent are zeroed before being returned to upper layers. See the Kernel Git Commit 8d582d6 and the Kernel Git Commit fe40390 for the patch series.
Root Cause
The root cause is a missing boundary check and zero-fill operation in the erofs file-backed mount I/O handler. The handler treated end-of-filesystem requests differently from the loopback device path it was modeled on, violating the documented expectation that out-of-range reads return zeros.
Attack Vector
The issue requires an attacker or test workload capable of triggering I/O beyond the declared filesystem size on an erofs file-backed mount. Triggering the condition typically requires local access to a system that has mounted an erofs image via the file-backed path. Exploitability for privilege escalation or information disclosure depends on residual buffer contents and surrounding code paths in the caller.
No public proof-of-concept code is available. The vulnerability mechanism is described in the upstream commit messages referenced above.
Detection Methods for CVE-2026-46329
Indicators of Compromise
- No known in-the-wild exploitation indicators have been published for CVE-2026-46329.
- Kernel logs referencing erofs I/O errors or unexpected end-of-device reads on file-backed mounts.
- Application-level read errors or non-deterministic data returned from erofs-mounted images.
Detection Strategies
- Inventory hosts running Linux kernels that include erofs file-backed mount support and confirm whether the patches 8d582d6, bc804a8, e49abde, or fe40390 are applied.
- Compare installed kernel package versions against vendor advisories for the erofs fix series.
- Audit user-space tooling that mounts erofs images from regular files, focusing on workflows that read near image boundaries.
Monitoring Recommendations
- Forward kernel ring buffer and dmesg output to a central logging system and alert on erofs subsystem warnings.
- Track mount events for erofs filesystems and correlate with kernel version metadata.
- Monitor file integrity for erofs image files used as mount sources to detect unexpected modifications.
How to Mitigate CVE-2026-46329
Immediate Actions Required
- Apply the latest stable kernel updates from your Linux distribution that incorporate the erofs file-backed mount fix.
- Identify systems mounting erofs images from files and prioritize them for patching.
- Restrict the ability to mount untrusted erofs images to privileged users only.
Patch Information
Upstream fixes are available in the Linux kernel stable tree. Apply the patches from the Kernel Git Commit 8d582d6, Kernel Git Commit bc804a8, Kernel Git Commit e49abde, and Kernel Git Commit fe40390. Consult your distribution's security tracker for the corresponding packaged kernel release.
Workarounds
- Avoid mounting erofs images via the file-backed path on unpatched kernels; prefer block device or loopback mounts where feasible.
- Limit CAP_SYS_ADMIN and mount privileges to trusted administrators to reduce exposure on shared systems.
- Validate erofs image sizes before mounting to ensure they match expected filesystem extents.
# Verify the running kernel and check for the erofs patch in distribution changelogs
uname -r
# Example: confirm package version on Debian/Ubuntu
dpkg -l | grep linux-image
# Example: confirm package version on RHEL/Fedora
rpm -qa | grep kernel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
