CVE-2025-40049: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40049 is a vulnerability discovered in the Linux kernel's Squashfs filesystem implementation. The issue was identified and disclosed on October 28, 2025, affecting the Squashfs filesystem component. The vulnerability specifically involves an uninitialized value access in the squashfs_get_parent function (NVD).

The vulnerability occurs when open_by_handle_at() is called with a file handle containing an invalid parent inode number, specifically when the inode number is that of a symbolic link rather than a directory. When squashfs_get_parent() is called with a symbolic link inode, it accesses the parent member field through the command 'unsigned int parent_ino = squashfs_i(inode)->parent'. Since non-directory inodes in Squashfs do not have a parent value, this results in an uninitialized value access (NVD).

The vulnerability leads to an uninitialized value access in the Linux kernel's Squashfs filesystem component, which could potentially result in system instability or information disclosure (NVD).

The fix involves initializing the parent field with the invalid inode number 0, which will cause an EINVAL error to be returned when attempting to access invalid parent inodes. Additionally, the parent field has been separated from the block_list_start field in regular inodes to enable this fix (NVD).