CVE-2025-22121

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-22121
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22121.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-22121
Downstream
Related
Published
2025-04-16T14:13:05.894Z
Modified
2026-03-20T12:41:19.931164Z
Summary
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()
Details

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix out-of-bound read in ext4xattrinodedecref_all()

There's issue as follows: BUG: KASAN: use-after-free in ext4xattrinodedecref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172

CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dumpstack lib/dumpstack.c:82 [inline] dumpstack+0xbe/0xfd lib/dumpstack.c:123 printaddressdescription.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasanreport.cold+0x6c/0x84 mm/kasan/report.c:560 kasanreport+0x3a/0x50 mm/kasan/report.c:585 ext4xattrinodedecrefall+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4xattrdeleteinode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4evictinode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iputfinal fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4orphancleanup fs/ext4/super.c:3298 [inline] ext4fillsuper+0x8c57/0xba40 fs/ext4/super.c:5300 mountbdev+0x355/0x410 fs/super.c:1446 legacygettree+0xfe/0x220 fs/fscontext.c:611 vfsgettree+0x8d/0x2f0 fs/super.c:1576 donewmount fs/namespace.c:2983 [inline] pathmount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __dosysmount fs/namespace.c:3540 [inline] __sesysmount+0x219/0x2e0 fs/namespace.c:3514 dosyscall64+0x33/0x40 arch/x86/entry/common.c:46 entrySYSCALL64afterhwframe+0x67/0xd1

Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Above issue happens as ext4xattrdeleteinode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattrcheckinode() check if xattr if valid in inode. In fact, we can directly verify in ext4igetextrainode(), so that there is no divergent verification.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22121.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e50e5129f384ae282adebfb561189cdb19b81cee
Fixed
27202452b0bc942fdc3db72a44c4dcdab96d5b56
Fixed
b374e9ecc92aaa7fb2ab221ee3ff5451118ab566
Fixed
c000a8a9b5343a5ef867df173c6349672dacbd0f
Fixed
3c591353956ffcace2cc74d09930774afed60619
Fixed
098927a13fd918bd7c64c2de905350a1ad7b4a3a
Fixed
0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8
Fixed
5701875f9609b000d91351eaa6bfd97fe2f157f4

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-22121.json"