UAF Vulnerability in Linux Kernel Affecting Multiple Device Types
CVE-2025-38172

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 3 July 2025

What is CVE-2025-38172?

A vulnerability exists in the Linux kernel, specifically in the erofs file system, where the initialization process fails to correctly handle different device types. If a primary block device is paired with a file-backed extra device, it leads to a use-after-free condition due to improper error handling, resulting in potential data corruption or application crashes. The issue occurs during the device initialization where the error -ENOTBLK is not treated as an error, permitting further unsafe operations that can compromise system integrity.

Affected Version(s)

Linux fb176750266a3d7f42ebdcf28e8ba40350b27847 < 65115472f741ca000d7ea4a5922214f93cd1516e

Linux fb176750266a3d7f42ebdcf28e8ba40350b27847

Linux fb176750266a3d7f42ebdcf28e8ba40350b27847 < 9748f2f54f66743ac77275c34886a9f890e18409

References

https://git.kernel.org/stable/c/65115472f741ca000d7ea4a59...

https://git.kernel.org/stable/c/cd04beb9ce2773a16057248bb...

https://git.kernel.org/stable/c/9748f2f54f66743ac77275c34...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2025
Vulnerability Reserved
Apr 16, 2025