CVE-2025-38172
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's EROFS filesystem driver. When mounting an EROFS filesystem with multiple devices of different types (block device primary with file-backed secondary), an error handling flaw leads to freeing memory that's later accessed, potentially allowing kernel memory corruption. This affects Linux systems using EROFS with multiple device configurations.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Local attacker with ability to mount EROFS filesystems could exploit the use-after-free to achieve kernel memory corruption, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context.
Likely Case
Local user could crash the kernel causing system instability or denial of service. Privilege escalation is possible but requires specific memory manipulation.
If Mitigated
With proper access controls preventing unauthorized users from mounting filesystems, impact is limited to authorized administrators only.
🎯 Exploit Status
Exploitation requires local access and ability to mount EROFS filesystems. The use-after-free condition must be carefully manipulated for reliable exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel with commits 65115472f741ca000d7ea4a5922214f93cd1516e, 9748f2f54f66743ac77275c34886a9f890e18409, cd04beb9ce2773a16057248bb4fa424068ae3807 applied
Vendor Advisory: https://git.kernel.org/stable/c/65115472f741ca000d7ea4a5922214f93cd1516e
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load patched kernel. 3. Verify kernel version with 'uname -r'.
🔧 Temporary Workarounds
Disable EROFS module
linuxPrevent loading of EROFS kernel module to eliminate attack surface
echo 'install erofs /bin/false' >> /etc/modprobe.d/disable-erofs.conf
rmmod erofs 2>/dev/null || true
Restrict filesystem mounting
linuxLimit which users can mount filesystems using sudoers or other access controls
# In /etc/sudoers or sudoers.d file:
# Remove mount privileges for non-admin users
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from mounting filesystems
- Monitor for unusual mount operations or kernel crashes related to EROFS
🔍 How to Verify
Check if Vulnerable:
Check if EROFS module is loaded: 'lsmod | grep erofs'. Check kernel version against patched versions.Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: 'uname -r' and check kernel source or distribution patch notes.📡 Detection & Monitoring
Log Indicators:
- Kernel oops or panic messages mentioning erofs
- Failed mount attempts with EROFS and multiple devices
- System crashes during filesystem operations
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="kernel" AND ("erofs" OR "EROFS") AND ("panic" OR "oops" OR "BUG")