CVE-2025-40049

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The Linux kernel contains a flaw within the Squashfs file system related to uninitialized values in the

squashfs get parent

function. This issue arises when

open by handle at()

is invoked with a file handle containing an invalid parent inode number, specifically that of a symbolic link instead of a directory. The

squashfs get parent()

function then accesses the uninitialized parent member field, leading to a potential error. The fix involves initializing the parent field with the invalid inode number 0, which will return an EINVAL error. Previously, inodes shared the parent field with the

block list start

field, which has been removed to allow the parent field to contain the invalid inode number 0.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2025-40049

Affected Products

Linux Kernel

Squashfs

CVE-2025-40049

Related Identifiers

Affected Products

References · 11