Vulnerability Database

318,756

Total vulnerabilities in the database

CVE-2025-38415

In the Linux kernel, the following vulnerability has been resolved:

Squashfs: check return result of sb_min_blocksize

Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug.

Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails.

msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize);

sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0.

As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64.

This subsequently causes the

UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long')

This commit adds a check for a 0 return by sb_min_blocksize().

  • Published: Jul 25, 2025
  • Updated: Dec 24, 2025
  • CVE: CVE-2025-38415
  • Severity: High
  • Exploit:

CVSS v3:

  • Severity: High
  • Score: 7.8
  • AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

Software From Fixed in
linux / linux_kernel 2.6.29 5.4.295
linux / linux_kernel 5.5 5.10.239
linux / linux_kernel 5.11 5.15.186
linux / linux_kernel 5.16 6.1.142
linux / linux_kernel 6.2 6.6.94
linux / linux_kernel 6.7 6.12.34
linux / linux_kernel 6.13 6.15.3
debian / debian_linux 11.0 11.0.x