Bug 2414732 (CVE-2025-40190) - CVE-2025-40190 kernel: ext4: guard against EA inode refcount underflow in xattr update
Summary: CVE-2025-40190 kernel: ext4: guard against EA inode refcount underflow in xat...
Keywords:
Status: NEW
Alias: CVE-2025-40190
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-11-12 23:03 UTC by OSIDB Bzimport
Modified: 2025-11-14 06:21 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-11-12 23:03:19 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ext4: guard against EA inode refcount underflow in xattr update

syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
inode refcount that is already <= 0 and then applies ref_change (often
-1). That lets the refcount underflow and we proceed with a bogus value,
triggering errors like:

  EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
  EXT4-fs warning: ea_inode dec ref err=-117

Make the invariant explicit: if the current refcount is non-positive,
treat this as on-disk corruption, emit ext4_error_inode(), and fail the
operation with -EFSCORRUPTED instead of updating the refcount. Delete the
WARN_ONCE() as negative refcounts are now impossible; keep error reporting
in ext4_error_inode().

This prevents the underflow and the follow-on orphan/cleanup churn.
Note You need to log in before you can comment on or make changes to this bug.