CVE-2025-40119
Description
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix potential null deref in ext4_mb_init()
In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called when sbi->s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo slab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy() lacks null pointer checking, this leads to a null pointer dereference.
================================================================== EXT4-fs: no memory for groupinfo slab cache BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP PTI CPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 #1134 PREEMPT(none) RIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40 Call Trace:
xa_destroy+0x61/0x130 ext4_mb_init+0x483/0x540 __ext4_fill_super+0x116d/0x17b0 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 do_new_mount+0x197/0x300 __x64_sys_mount+0x116/0x150 do_syscall_64+0x50/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================
Therefore, add necessary null check to ext4_mb_avg_fragment_size_destroy() to prevent this issue. The same fix is also applied to ext4_mb_largest_free_orders_destroy().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A null pointer dereference in ext4_mb_init() can crash the kernel when memory allocation fails during filesystem mount.
Vulnerability
In the Linux kernel's ext4 filesystem, the function ext4_mb_init() initializes the multi-block allocator. During this initialization, if the slab cache allocation for group information fails, the code path calls ext4_mb_avg_fragment_size_destroy() on an uninitialized sbi->s_mb_avg_fragment_size structure. This function lacks a null pointer check, leading to a null pointer dereference and a kernel panic [1].
Exploitation
The vulnerability is triggered during the mount operation of an ext4 filesystem. An attacker would need the ability to trigger a memory allocation failure in the kernel, typically by exhausting system memory or by exploiting a controlled environment where slab allocations can be made to fail. No authentication is required beyond the ability to mount a filesystem, which may be possible from user space if the attacker has local access or can influence a privileged mount operation.
Impact
A successful exploit results in a kernel NULL pointer dereference, causing a system crash (denial of service). The crash trace shows the fault occurring in _raw_spin_lock_irqsave called from xa_destroy, which is invoked during the cleanup path. This can render the system unavailable until reboot.
Mitigation
The fix, committed to the Linux kernel stable tree, adds null pointer checks to both ext4_mb_avg_fragment_size_destroy() and ext4_mb_largest_free_orders_destroy() to prevent the dereference when the structures are uninitialized [1]. Users should apply the kernel patch or update to a version containing the fix. No workaround is available other than avoiding mount operations under memory pressure.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
308d9175578d600110f3cfc9b3c3fac6bc0a9Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.