CVE-2025-40190
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ext4: guard against EA inode refcount underflow in xattr update
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like:
EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117
Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode().
This prevents the underflow and the follow-on orphan/cleanup churn.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ea39e712c2f5ae148ee5515798ae03523673e002 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1cfb3e4ddbdc8e02e637b8852540bd4718bf4814 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 505e69f76ac497e788f4ea0267826ec7266b40c8 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3d6269028246f4484bfed403c947a114bb583631 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 79ea7f3e11effe1bd9e753172981d9029133a278 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 6b879c4c6bbaab03c0ad2a983953bd1410bb165e | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 440b003f449a4ff2a00b08c8eab9ba5cd28f3943 | affected |
| Linux | Linux | 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 57295e835408d8d425bef58da5253465db3d6888 | affected |
| Linux | Linux | 0 < 5.4.301 | affected |
| Linux | Linux | 0 < 5.10.246 | affected |
| Linux | Linux | 0 < 5.15.195 | affected |
| Linux | Linux | 0 < 6.1.157 | affected |
| Linux | Linux | 0 < 6.6.113 | affected |
| Linux | Linux | 0 < 6.12.54 | affected |
| Linux | Linux | 0 < 6.17.4 | affected |
| Linux | Linux | 5.4.301 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.246 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.195 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.157 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.113 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.54 <= 6.12.* | unaffected |
| Linux | Linux | 6.17.4 <= 6.17.* | unaffected |
| Linux | Linux | 6.18 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002
- https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814
- https://git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8
- https://git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631
- https://git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278
- https://git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165e
- https://git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943
- https://git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.