CVE-2025-68251 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, embedded device manufacturers using EROFS for read-only root filesystems, and security teams monitoring for denial-of-service conditions in filesystem handling

Technical summary

The EROFS filesystem driver in the Linux kernel prior to the fix commits contains a logic error in handling subpage compact compression indexes. When processing a crafted image with corrupted metadata where `clusterofs > lclustersize` for a non-head logical cluster, the driver enters an infinite loop rather than rejecting the malformed data. The vulnerability exists in the cluster loading path where validation was insufficient for subpage compact index formats. The resolution moves clusterofs validation into `z_erofs_load_lcluster_from_disk()` to apply uniformly across index types and repositions the type maximum check to occur immediately after cluster loading.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing commits 8675447a8794983f2b7e694b378112772c17635e and e13d315ae077bb7c3c6027cc292401bc0f4ec683
• Validate EROFS image integrity before mounting from untrusted sources
• Monitor for unusual CPU consumption during EROFS filesystem operations
• Restrict mounting of EROFS images to privileged contexts where possible

Evidence notes

The vulnerability was reported by Robert and resolved through kernel patches that add validation for corrupted subpage compact indexes. The root cause involves malformed EROFS images where `clusterofs` (515) exceeds `lclustersize` (512) at logical cluster number 6, triggering unbounded iteration. The fix also corrects placement of the `m->type >= Z_EROFS_LCLUSTER_TYPE_MAX` check to immediately follow cluster loading operations.

Official resources