CVE-2025-40200

Root

Cause

In the Linux kernel's Squashfs filesystem, the squashfs_read_inode() function did not validate that the file size (stored as a 64-bit signed integer) was negative. When a crafted Squashfs image containing a negative file size was mounted, the function would propagate this invalid value to other kernel subsystems, such as overlayfs, triggering a warning in ovl_copy_up_file() [1].

Attack

Vector

An attacker with the ability to mount a malicious Squashfs image (e.g., via a removable device, network share, or in a container environment) could exploit this missing validation. The attack requires local access or the ability to trigger a mount operation using a crafted filesystem image. No additional authentication is needed beyond standard mount permissions.

Impact

Upon accessing the file with a negative size, the kernel emits a warning message and may exhibit unpredictable behavior, effectively leading to a denial of service (system instability or panic). The patch by Phillip Lougher adds a check for a negative 64-bit file size in squashfs_read_inode() and returns -EINVAL immediately, preventing the invalid value from reaching higher layers [1].

Mitigation

The fix has been merged into the stable kernel tree. Users should update their kernel to a version containing commit 875fb3f87ae0 or the corresponding backports (commits f271155ff31a, 8118f6612489, 8c7aad767518) [2][3][4]. No workaround other than avoiding the use of untrusted Squashfs images is available.