PT-2025-44117 · Linux+5 · Linux Kernel+5

Published

2025-09-19

·

Updated

2026-05-07

·

CVE-2025-40049

CVSS v2.0

4.6

Medium

VectorAV:L/AC:L/Au:S/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)
Description The Linux kernel contains a flaw within the Squashfs file system related to uninitialized values in the squashfs get parent function. This issue arises when open by handle at() is invoked with a file handle containing an invalid parent inode number, specifically that of a symbolic link instead of a directory. The squashfs get parent() function then accesses the uninitialized parent member field, leading to a potential error. The fix involves initializing the parent field with the invalid inode number 0, which will return an EINVAL error. Previously, inodes shared the parent field with the block list start field, which has been removed to allow the parent field to contain the invalid inode number 0.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Weakness Enumeration

CWE-457

Related Identifiers

AZL-68915
BDU:2025-13639
CVE-2025-40049
DLA-4379-1
DLA-4404-1
DSA-6053-1
ECHO-DCDE-5389-E417
MGASA-2025-0309
MGASA-2025-0310
OPENSUSE-SU-2025:15702-1
OPENSUSE-SU-2025:20091-1
OPENSUSE-SU-2026:10301-1
SUSE-SU-2025:21040-1
SUSE-SU-2025:21052-1
SUSE-SU-2025:21056-1
SUSE-SU-2025:21064-1
SUSE-SU-2025:21080-1
SUSE-SU-2025:21147-1
SUSE-SU-2025:21180-1
SUSE-SU-2025:4057-1
SUSE-SU-2025:4128-1
SUSE-SU-2025:4132-1
SUSE-SU-2025:4140-1
SUSE-SU-2025:4141-1
SUSE-SU-2025:4189-1
SUSE-SU-2025:4301-1
USN-8029-1
USN-8029-2
USN-8029-3
USN-8030-1
USN-8033-1
USN-8033-2
USN-8033-3
USN-8033-4
USN-8033-5
USN-8033-6
USN-8033-7
USN-8033-8
USN-8034-1
USN-8034-2
USN-8048-1
USN-8095-1
USN-8095-2
USN-8095-3
USN-8095-4
USN-8095-5
USN-8100-1
USN-8125-1
USN-8126-1
USN-8141-1
USN-8163-1
USN-8163-2
USN-8165-1
USN-8243-1
USN-8261-1

Affected Products

Debian
Linuxmint
Linux Kernel
Squashfs
Suse
Ubuntu