CVE-2025-40190

Linux Kernel < 5.4.301, 5.5.0-6.17.4 - EA Inode Refcount Underflow in xattr Update

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn.

Scores

EPSS 0.0021
EPSS Percentile 10.8%

Details

Status published
Products (30)
linux/Kernel < 5.4.301linux
linux/Kernel 5.11.0 - 5.15.195linux
linux/Kernel 5.16.0 - 6.1.157linux
linux/Kernel 5.5.0 - 5.10.246linux
linux/Kernel 6.13.0 - 6.17.4linux
linux/Kernel 6.2.0 - 6.6.113linux
linux/Kernel 6.7.0 - 6.12.54linux
Linux/Linux < 5.10.246
Linux/Linux < 5.15.195
Linux/Linux < 5.4.301
... and 20 more
Published Nov 12, 2025
Tracked Since Feb 18, 2026