VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 4, 2025· Updated Apr 15, 2026

CVE-2025-40241

CVE-2025-40241

Description

In the Linux kernel, the following vulnerability has been resolved:

erofs: fix crafted invalid cases for encoded extents

Robert recently reported two corrupted images that can cause system crashes, which are related to the new encoded extents introduced in Linux 6.15:

- The first one [1] has plen != 0 (e.g. plen == 0x2000000) but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0. It is used to represent special extents such as sparse extents (!EROFS_MAP_MAPPED), but previously only plen == 0 was handled;

- The second one [2] has pa 0xffffffffffdcffed and plen 0xb4000, then "cur [0xfffffffffffff000] += bvec.bv_len [0x1000]" in "} while ((cur += bvec.bv_len) < end);" wraps around, causing an out-of-bound access of pcl->compressed_bvecs[] in z_erofs_submit_queue(). EROFS only supports 48-bit physical block addresses (up to 1EiB for 4k blocks), so add a sanity check to enforce this.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In the Linux kernel's erofs, improper validation of encoded extents allows crafted images to cause system crashes via out-of-bound access.

Vulnerability

Description The vulnerability resides in the EROFS filesystem's handling of encoded extents, introduced in Linux 6.15. Two crafted images demonstrate missing validation: one with plen non-zero but (plen & Z_EROFS_EXTENT_PLEN_MASK) == 0, causing special extent misclassification; another with physical address 0xffffffffffdcffed and plen 0xb4000 causing an integer overflow in a loop, leading to out-of-bound access of pcl->compressed_bvecs[].

Exploitation

An attacker with the ability to mount a maliciously crafted EROFS image can trigger these vulnerabilities. No special privileges are required beyond mount access; the image can be presented as a file or block device.

Impact

Successful exploitation results in a system crash (out-of-bound memory access), leading to denial of service.

Mitigation

The fix has been applied in the Linux kernel stable tree via commit [1], which adds checks for zero-masked plen and enforces a 48-bit physical address limit.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Linux/Kernelinferred2 versions
    >=6.15+ 1 more
    • (no CPE)range: >=6.15
    • (no CPE)range: >=6.15

Patches

2
00d8fe0b72f4
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
a429b76114aa
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.