CVE-2026-43166 HIGH

CVE-2026-43166: erofs: fix interlaced plain identification for encoded extents

Vendor Linux
Product Linux
Published May 6, 2026
Last update May 11, 2026

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

What the vulnerability does

01Description

In the Linux kernel, the following vulnerability has been resolved: erofs: fix interlaced plain identification for encoded extents Only plain data whose start position and on-disk physical length are both aligned to the block size should be classified as interlaced plain extents. Otherwise, it must be treated as shifted plain extents. This issue was found by syzbot using a crafted compressed image containing plain extents with unaligned physical lengths, which can cause OOB read in z_erofs_transform_plain().

Key dates

02Disclosure timeline

May 6, 2026 CVE published
May 11, 2026 Record updated