CVE-2025-40167

Vulnerability

Overview

CVE-2025-40167 is a flaw in the Linux kernel's ext4 filesystem driver where an inode is allowed to have both the INLINE_DATA and EXTENTS flags set simultaneously. This combination is invalid because inline data stores file content directly in the inode structure, while extents use block-mapped trees. The kernel's ext4_has_inline_data() check returns true for such inodes, causing __ext4_iget() to skip extent tree validation. As a result, a corrupted filesystem can present an out-of-order extent tree that leads to an integer underflow when calculating hole sizes in ext4_es_cache_extent(), triggering a BUG_ON crash [1][2].

Exploitation

Scenario

An attacker with the ability to mount a crafted ext4 filesystem image (e.g., via a removable device or a malicious disk image) can trigger this bug. The vulnerability is reachable when the filesystem is mounted without a journal, as reported by syzbot. No special privileges beyond mounting a filesystem are required, making it a local denial-of-service vector. The corrupted inode can be accessed by opening a verity file or any file that causes the kernel to read the inode's extent tree [3].

Impact

Successful exploitation results in a kernel panic (BUG_ON), causing a denial of service disruption. The crash occurs in ext4_es_cache_extent() due to an unvalidated extent entries. While the issue does not directly allow arbitrary code execution, it can be used to deny service to legitimate users. The vulnerability is classified with a CVSS score of 5.5 (medium severity) [4].

Mitigation

The fix, committed to the Linux kernel stable tree, adds a check in EXT4_IGET_BAD check in ext4_iget() to reject inodes that have both INLINE_DATA and EXTENTS flags set. This prevents the corrupted inode from being loaded, avoiding the subsequent crash. Users should apply the kernel patch from the referenced commits [1][2][3][4]. No workaround is available other than avoiding mounting untrusted ext4 filesystems without a journal.