CVE-2025-40167

Linux Kernel - Denial of Service via Invalid INLINE_DATA and EXTENTS Flag Combination

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.

Scores

EPSS 0.0019
EPSS Percentile 9.1%

Details

Status published
Products (25)
linux/Kernel 3.8.0 - 5.4.301linux
linux/Kernel 5.11.0 - 5.15.196linux
linux/Kernel 5.16.0 - 6.1.158linux
linux/Kernel 5.5.0 - 5.10.246linux
linux/Kernel 6.13.0 - 6.17.5linux
linux/Kernel 6.2.0 - 6.6.114linux
linux/Kernel 6.7.0 - 6.12.55linux
Linux/Linux < 3.8
Linux/Linux 3.8
Linux/Linux 5.10.246 - 5.10.*
... and 15 more
Published Nov 12, 2025
Tracked Since Feb 18, 2026