CVE-2025-40049
Description
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: fix uninit-value in squashfs_get_parent
Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory.
Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field.
unsigned int parent_ino = squashfs_i(inode)->parent;
Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access.
The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned.
Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel, an uninitialized value in squashfs_get_parent() caused by an invalid file handle can lead to undefined behavior; fixed by initializing the parent inode to 0.
Root
Cause
CVE-2025-40049 describes an uninitialized value in the Linux kernel's Squashfs filesystem driver, specifically in the squashfs_get_parent function. The bug is triggered when open_by_handle_at() is called with a file handle containing an invalid parent inode number—for example, the inode of a symbolic link instead of a directory. Because non-directory inodes in Squashfs do not have a parent field, reading squashfs_i(inode)->parent returns uninitialized data, which causes an uninitialized value access.
Exploitation
An attacker who can craft a file handle with a symbolic link inode and pass it to open_by_handle_at() can trigger this vulnerability. No special privileges beyond the ability to create such file handles are required. The attack surface is local, as it relies on access to the kernel's file handle system calls.
Impact
Accessing the uninitialized parent member can lead to unpredictable behavior, including kernel memory disclosure or crashes. The original Syzkaller report classifies this as a KMSAN (Kernel Memory Sanitizer) uninit-value bug, indicating potential information leakage or instability.
Mitigation
The fix, already applied to the stable kernel tree [1], initializes the parent field to the invalid inode number 0 (an invalid inode), causing squashfs_get_parent to return -EINVAL when encountering a non-directory inode. This prevents the uninitialized read and safely. The commit also removes a shared union between the parent and block_list_start field for regular inodes so that the parent field can reliably hold a zero value. Users should update their kernel to a version containing the corresponding commit (e.g., 81a2bca52d43) [1]. No known workaround exists other than applying the patch.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
8f81a5bc9e924382a47fae44961d38b5ce27881a2bca52d43c28b0ca029ed1b3ccd00191391b99db7a92e74058c0a9fc8Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/1b3ccd0019132880c94bb00ca7088c1749308f82nvd
- git.kernel.org/stable/c/382a47fae449e554ef1e8c198667fd2f3270b945nvd
- git.kernel.org/stable/c/61d38b5ce2782bff3cacaacbb8164087a73ed1a5nvd
- git.kernel.org/stable/c/74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cfnvd
- git.kernel.org/stable/c/81a2bca52d43fc9d9abf07408b91255131c5dc53nvd
- git.kernel.org/stable/c/91b99db7a92e57ff48a96a1b10fddfd2547e7f53nvd
- git.kernel.org/stable/c/c28b0ca029edf5d0558abcd76cb8c732706cd339nvd
- git.kernel.org/stable/c/f81a5bc9e924ee1950e0dd82bd10749048390f6envd
News mentions
0No linked articles in our index yet.