#VU113253 Out-of-bounds read in Linux kernel - CVE-2025-38415


Vulnerability identifier: #VU113253

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-38415

CWE-ID: CWE-125

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Linux kernel
Operating systems & Components / Operating system

Vendor: Linux Foundation

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the squashfs_fill_super() function in fs/squashfs/super.c. A local user can perform a denial of service (DoS) attack.

Mitigation
Install update from vendor's repository.

Vulnerable software versions

Linux kernel: All versions

External links
https://git.kernel.org/stable/c/0aff95d9bc7fb5400ca8af507429c4b067bdb425
https://git.kernel.org/stable/c/295ab18c2dbce8d0ac6ecf7c5187e16e1ac8b282
https://git.kernel.org/stable/c/4f99357dadbf9c979ad737156ad4c37fadf7c56b
https://git.kernel.org/stable/c/549f9e3d7b60d53808c98b9fde49b4f46d0524a5
https://git.kernel.org/stable/c/5c51aa862cbeed2f3887f0382a2708956710bd68
https://git.kernel.org/stable/c/6abf6b78c6fb112eee495f5636ffcc350dd2ce25
https://git.kernel.org/stable/c/734aa85390ea693bb7eaf2240623d41b03705c84
https://git.kernel.org/stable/c/db7096ea160e40d78c67fce52e7cc51bde049497

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


openEuler 22.03 LTS SP3 update for kernel
openEuler 22.03 LTS SP4 update for kernel
Anolis OS update for kernel:6.6
Ubuntu update for linux-raspi
Ubuntu update for linux-nvidia-tegra-igx
Ubuntu update for linux-kvm
Ubuntu update for linux-oracle-6.14
Ubuntu update for linux-azure-5.15
Ubuntu update for linux-aws-6.14
Ubuntu update for linux-azure