In the Linux kernel, the following vulnerability has been resolved:
erofs: fix inline data read failure for ztailpacking pclusters
Compressed folios for ztailpacking pclusters must be valid before adding these pclusters to I/O chains. Otherwise, zerofsdecompress_pcluster() may assume they are already valid and then trigger a NULL pointer dereference.
It is somewhat hard to reproduce because the inline data is in the same block as the tail of the compressed indexes, which are usually read just before. However, it may still happen if a fatal signal arrives while readmappingfolio() is running, as shown below:
erofs: (device dm-1): zerofspcluster_begin: failed to get inline data -4 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
...
pc : zerofsdecompressqueue+0x4c8/0xa14 lr : zerofsdecompressqueue+0x160/0xa14 sp : ffffffc08b3eb3a0 x29: ffffffc08b3eb570 x28: ffffffc08b3eb418 x27: 0000000000001000 x26: ffffff8086ebdbb8 x25: ffffff8086ebdbb8 x24: 0000000000000001 x23: 0000000000000008 x22: 00000000fffffffb x21: dead000000000700 x20: 00000000000015e7 x19: ffffff808babb400 x18: ffffffc089edc098 x17: 00000000c006287d x16: 00000000c006287d x15: 0000000000000004 x14: ffffff80ba8f8000 x13: 0000000000000004 x12: 00000006589a77c9 x11: 0000000000000015 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 000000000000003f x5 : 0000000000000040 x4 : ffffffffffffffe0 x3 : 0000000000000020 x2 : 0000000000000008 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: zerofsdecompressqueue+0x4c8/0xa14 zerofsrunqueue+0x908/0x97c zerofsreadfolio+0x128/0x228 filemapreadfolio+0x68/0x128 filemapgetpages+0x44c/0x8b4 filemapread+0x12c/0x5b8 genericfilereaditer+0x4c/0x15c doiterreadvwritev+0x188/0x1e0 vfsiterread+0xac/0x1a4 backingfilereaditer+0x170/0x34c ovlreaditer+0xf0/0x140 vfsread+0x28c/0x344 ksysread+0x80/0xf0 _arm64sysread+0x24/0x34 invokesyscall+0x60/0x114 el0svccommon+0x88/0xe4 doel0svc+0x24/0x30 el0svc+0x40/0xa8 el0t64synchandler+0x70/0xbc el0t64sync+0x1bc/0x1c0
Fix this by reading the inline data before allocating and adding the pclusters to the I/O chains.
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45943.json"
}