CVE-2025-38172
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38172
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38172.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-38172
- Downstream
- Published
- 2025-07-03T08:36:10Z
- Modified
- 2025-10-18T02:45:47.798443Z
- Summary
- erofs: avoid using multiple devices with different type
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
erofs: avoid using multiple devices with different type
For multiple devices, both primary and extra devices should be the same type.
erofs_init_devicehas already guaranteed that if the primary is a file-backed device, extra devices should also be regular files.However, if the primary is a block device while the extra device is a file-backed device,
erofs_init_devicewill get an ENOTBLK, which is not treated as an error inerofs_fc_get_tree, and that leads to an UAF:erofsfcgettree gettreebdevflags(erofsfcfillsuper) erofsreadsuperblock erofsinitdevice // sbi->dif0 is not inited yet, // return -ENOTBLK deactivatelockedsuper free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filpopen() // sbi UAF
So if -ENOTBLK is hitted in
erofs_init_device, it means the primary device must be a block device, and the extra device is not a block device. The error can be converted to -EINVAL. - References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfb176750266a3d7f42ebdcf28e8ba40350b27847Fixed65115472f741ca000d7ea4a5922214f93cd1516e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfb176750266a3d7f42ebdcf28e8ba40350b27847Fixedcd04beb9ce2773a16057248bb4fa424068ae3807
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedfb176750266a3d7f42ebdcf28e8ba40350b27847Fixed9748f2f54f66743ac77275c34886a9f890e18409
Affected versions
v6.*
v6.11
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
Database specific
vanir_signatures
[
{
"id": "CVE-2025-38172-31e291f0",
"deprecated": false,
"digest": {
"length": 1373.0,
"function_hash": "179934217437853389915950967232845861772"
},
"target": {
"file": "fs/erofs/super.c",
"function": "erofs_init_device"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9748f2f54f66743ac77275c34886a9f890e18409",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2025-38172-389afc44",
"deprecated": false,
"digest": {
"length": 1373.0,
"function_hash": "179934217437853389915950967232845861772"
},
"target": {
"file": "fs/erofs/super.c",
"function": "erofs_init_device"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd04beb9ce2773a16057248bb4fa424068ae3807",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2025-38172-6f5dfb2b",
"deprecated": false,
"digest": {
"length": 1387.0,
"function_hash": "116103684906645232437401598458549171618"
},
"target": {
"file": "fs/erofs/super.c",
"function": "erofs_init_device"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@65115472f741ca000d7ea4a5922214f93cd1516e",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2025-38172-75b0b8d1",
"deprecated": false,
"digest": {
"line_hashes": [
"93896023460800140993078890913851437936",
"234263658139618896240067322419426957989",
"5338847901380570306155002562365792301",
"99211175673006647044442294068155915222",
"59683606506007078008947281108343889143"
],
"threshold": 0.9
},
"target": {
"file": "fs/erofs/super.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd04beb9ce2773a16057248bb4fa424068ae3807",
"signature_version": "v1",
"signature_type": "Line"
},
{
"id": "CVE-2025-38172-8a16fc20",
"deprecated": false,
"digest": {
"line_hashes": [
"93896023460800140993078890913851437936",
"234263658139618896240067322419426957989",
"5338847901380570306155002562365792301",
"99211175673006647044442294068155915222",
"59683606506007078008947281108343889143"
],
"threshold": 0.9
},
"target": {
"file": "fs/erofs/super.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9748f2f54f66743ac77275c34886a9f890e18409",
"signature_version": "v1",
"signature_type": "Line"
},
{
"id": "CVE-2025-38172-e4c1abab",
"deprecated": false,
"digest": {
"line_hashes": [
"93896023460800140993078890913851437936",
"234263658139618896240067322419426957989",
"5338847901380570306155002562365792301",
"99211175673006647044442294068155915222",
"59683606506007078008947281108343889143"
],
"threshold": 0.9
},
"target": {
"file": "fs/erofs/super.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@65115472f741ca000d7ea4a5922214f93cd1516e",
"signature_version": "v1",
"signature_type": "Line"
}
]