{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-22121","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.823Z","datePublished":"2025-04-16T14:13:05.894Z","dateUpdated":"2026-05-11T21:13:22.557Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:13:22.557Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()\n\nThere's issue as follows:\nBUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790\nRead of size 4 at addr ffff88807b003000 by task syz-executor.0/15172\n\nCPU: 3 PID: 15172 Comm: syz-executor.0\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0xbe/0xfd lib/dump_stack.c:123\n print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137\n ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896\n ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323\n evict+0x39f/0x880 fs/inode.c:622\n iput_final fs/inode.c:1746 [inline]\n iput fs/inode.c:1772 [inline]\n iput+0x525/0x6c0 fs/inode.c:1758\n ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]\n ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300\n mount_bdev+0x355/0x410 fs/super.c:1446\n legacy_get_tree+0xfe/0x220 fs/fs_context.c:611\n vfs_get_tree+0x8d/0x2f0 fs/super.c:1576\n do_new_mount fs/namespace.c:2983 [inline]\n path_mount+0x119a/0x1ad0 fs/namespace.c:3316\n do_mount+0xfc/0x110 fs/namespace.c:3329\n __do_sys_mount fs/namespace.c:3540 [inline]\n __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nMemory state around the buggy address:\n ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n                   ^\n ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAbove issue happens as ext4_xattr_delete_inode() isn't check xattr\nis valid if xattr is in inode.\nTo solve above issue call xattr_check_inode() check if xattr if valid\nin inode. In fact, we can directly verify in ext4_iget_extra_inode(),\nso that there is no divergent verification."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/inode.c","fs/ext4/xattr.c","fs/ext4/xattr.h"],"versions":[{"version":"e50e5129f384ae282adebfb561189cdb19b81cee","lessThan":"27202452b0bc942fdc3db72a44c4dcdab96d5b56","status":"affected","versionType":"git"},{"version":"e50e5129f384ae282adebfb561189cdb19b81cee","lessThan":"b374e9ecc92aaa7fb2ab221ee3ff5451118ab566","status":"affected","versionType":"git"},{"version":"e50e5129f384ae282adebfb561189cdb19b81cee","lessThan":"c000a8a9b5343a5ef867df173c6349672dacbd0f","status":"affected","versionType":"git"},{"version":"e50e5129f384ae282adebfb561189cdb19b81cee","lessThan":"3c591353956ffcace2cc74d09930774afed60619","status":"affected","versionType":"git"},{"version":"e50e5129f384ae282adebfb561189cdb19b81cee","lessThan":"098927a13fd918bd7c64c2de905350a1ad7b4a3a","status":"affected","versionType":"git"},{"version":"e50e5129f384ae282adebfb561189cdb19b81cee","lessThan":"0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8","status":"affected","versionType":"git"},{"version":"e50e5129f384ae282adebfb561189cdb19b81cee","lessThan":"5701875f9609b000d91351eaa6bfd97fe2f157f4","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/ext4/inode.c","fs/ext4/xattr.c","fs/ext4/xattr.h"],"versions":[{"version":"4.13","status":"affected"},{"version":"0","lessThan":"4.13","status":"unaffected","versionType":"semver"},{"version":"5.10.248","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.198","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.161","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.120","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.59","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.14.2","lessThanOrEqual":"6.14.*","status":"unaffected","versionType":"semver"},{"version":"6.15","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.10.248"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"5.15.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.1.161"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.6.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.12.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.14.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.13","versionEndExcluding":"6.15"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/27202452b0bc942fdc3db72a44c4dcdab96d5b56"},{"url":"https://git.kernel.org/stable/c/b374e9ecc92aaa7fb2ab221ee3ff5451118ab566"},{"url":"https://git.kernel.org/stable/c/c000a8a9b5343a5ef867df173c6349672dacbd0f"},{"url":"https://git.kernel.org/stable/c/3c591353956ffcace2cc74d09930774afed60619"},{"url":"https://git.kernel.org/stable/c/098927a13fd918bd7c64c2de905350a1ad7b4a3a"},{"url":"https://git.kernel.org/stable/c/0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8"},{"url":"https://git.kernel.org/stable/c/5701875f9609b000d91351eaa6bfd97fe2f157f4"}],"title":"ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()","x_generator":{"engine":"bippy-1.2.0"}}}}