CVE-2025-40049 in Linux
Summary
by MITRE • 10/28/2025
In the Linux kernel, the following vulnerability has been resolved:
Squashfs: fix uninit-value in squashfs_get_parent
Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug.
This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory.
Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field.
unsigned int parent_ino = squashfs_i(inode)->parent;
Because non-directory inodes in Squashfs do not have a parent value, this is uninitialised, and this causes an uninitialised value access.
The fix is to initialise parent with the invalid inode 0, which will cause an EINVAL error to be returned.
Regular inodes used to share the parent field with the block_list_start field. This is removed in this commit to enable the parent field to contain the invalid inode number 0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/20/2026
The vulnerability CVE-2025-40049 represents a critical uninitialized value access flaw within the Linux kernel's squashfs filesystem implementation that was identified through systematic kernel fuzzing by syzkaller. This issue manifests as a KMSAN (Kernel Memory Sanitizer) warning indicating an uninitialized value access in the squashfs_get_parent function, highlighting a fundamental design flaw in how the filesystem handles symbolic link inodes during parent directory resolution operations. The vulnerability occurs when the open_by_handle_at() system call is invoked with a file handle containing an invalid parent inode number, specifically one that references a symbolic link rather than a directory structure. The technical root cause stems from the squashfs_get_parent() function receiving a symbolic link inode number and subsequently accessing the parent member field without proper validation, as non-directory inodes in squashfs filesystems do not maintain valid parent information. This creates a scenario where the parent_ino variable contains uninitialized memory values, leading to unpredictable behavior and potential security implications.
The operational impact of this vulnerability extends beyond simple functional failures to encompass potential privilege escalation and system stability issues within kernel space operations. When the squashfs_get_parent() function processes a symbolic link inode, it attempts to access an uninitialized parent field that should logically contain a valid directory inode number, but instead contains garbage data from memory. This uninitialized memory access creates a potential attack surface where malicious actors could exploit the inconsistent state to manipulate kernel memory structures or bypass access controls. The vulnerability particularly affects systems running squashfs filesystems and utilizing the open_by_handle_at() interface, which is commonly used for file descriptor management and cross-filesystem operations. The flaw demonstrates a classic CWE-457: Use of Uninitialized Variable pattern, where the parent field in squashfs inode structures is not properly initialized for symbolic link inodes, creating an uninitialized value access that could be leveraged for more sophisticated attacks.
The mitigation strategy for this vulnerability involves a targeted code modification that initializes the parent field with the invalid inode number 0, which subsequently triggers an EINVAL error code to be returned to userspace applications. This approach directly addresses the uninitialized value access by ensuring that symbolic link inodes cannot proceed with invalid parent resolution operations, thereby preventing the kernel from operating on uninitialized memory. The fix also removes the historical sharing of the parent field with the block_list_start field for regular inodes, which was a design compromise that prevented proper initialization of the parent field. This change aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation by preventing unauthorized access to uninitialized kernel memory structures. The implementation requires careful consideration of existing filesystem operations and maintains backward compatibility while ensuring that all inode types properly initialize their parent fields according to their semantic meaning within the filesystem hierarchy. The fix represents a defensive programming approach that prevents the kernel from operating on potentially corrupted or uninitialized data structures, effectively closing the vulnerability while maintaining the integrity of the squashfs filesystem implementation.