CVE-2025-38172

In the Linux kernel, the following vulnerability has been resolved:

erofs: avoid using multiple devices with different type

For multiple devices, both primary and extra devices should be the
same type. `erofs_init_device` has already guaranteed that if the
primary is a file-backed device, extra devices should also be
regular files.

However, if the primary is a block device while the extra device
is a file-backed device, `erofs_init_device` will get an ENOTBLK,
which is not treated as an error in `erofs_fc_get_tree`, and that
leads to an UAF:

  erofs_fc_get_tree
    get_tree_bdev_flags(erofs_fc_fill_super)
      erofs_read_superblock
        erofs_init_device  // sbi->dif0 is not inited yet,
                           // return -ENOTBLK
      deactivate_locked_super
        free(sbi)
    if (err is -ENOTBLK)
      sbi->dif0.file = filp_open()  // sbi UAF

So if -ENOTBLK is hitted in `erofs_init_device`, it means the
primary device must be a block device, and the extra device
is not a block device. The error can be converted to -EINVAL.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
LinuxCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
not-affected
bookworm
6.1.137-1
not-affected
bullseye (security)
5.10.237-1
fixed
bookworm (security)
6.1.140-1
fixed
trixie (security)
vulnerable
sid
vulnerable
trixie
vulnerable
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/65115472f741ca000d7ea4a5922214f93cd1516e
https://git.kernel.org/stable/c/9748f2f54f66743ac77275c34886a9f890e18409
https://git.kernel.org/stable/c/cd04beb9ce2773a16057248bb4fa424068ae3807