CVE-2025-68210

Root

Cause

The vulnerability resides in the EROFS (Enhanced Read-Only File System) decompression logic for zstd-compressed data. When a maliciously crafted filesystem image contains incomplete or truncated compressed blocks, the decompression routine fails to detect the truncation and enters an infinite loop, repeatedly attempting to decompress the same incomplete data without making progress [1][1][2].

Exploitation

An attacker must supply a specially crafted EROFS image that includes truncated zstd-compressed data. The attack surface is local; the victim would need to mount the malicious image (e.g., via a loop device or by inserting a corrupted storage medium). No special privileges are not required beyond normal user access to mount filesystems, but in scenarios where unprivileged mount is allowed (e.g., via FUSE or container environments), the attack could be triggered without root privileges.

Impact

Successful exploitation causes a denial-of-service (DoS) condition: the kernel thread handling decompression spins indefinitely, consuming CPU resources and potentially hanging the filesystem operations. This can lead to system unresponsiveness or a full system hang, depending on the scheduling context.

Mitigation

The fix has been applied to the Linux kernel stable tree via commits [1] and [2]. Users should update to ares to update their kernel to a version containing these patches. No workaround exists for unpatched systems other than avoiding the use of untrusted EROFS images.