CVE-2025-40190
Description
In the Linux kernel, the following vulnerability has been resolved:
ext4: guard against EA inode refcount underflow in xattr update
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like:
EXT4-fs error: EA inode ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117
Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode().
This prevents the underflow and the follow-on orphan/cleanup churn.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's ext4 filesystem, a missing refcount check in xattr EA inode updates allows refcount underflow, leading to -1, leading to corruption errors.
Vulnerability
In the Linux kernel's ext4 filesystem, the function ext4_xattr_inode_update_ref() in fs/ext4/xattr.c updates the reference count of an inode's refcount without first verifying that the current refcount is positive. When ext4_xattr_inode_update_ref() reads a refcount that is already <= 0 and then applies a ref_change (often -1), the refcount can underflow to -1. This triggers errors like EXT4-fs error: EA inode ref underflow: ref_count=-1 ref_change=-1 and EXT4-fs warning: ea_inode dec ref err=-117 [1].
Exploitation
The vulnerability is triggered during xattr update operations on an ext4 filesystem. An attacker with the ability to mount a crafted ext4 filesystem (e or to trigger xattr operations on a filesystem with corrupted EA inodes can cause the refcount underflow. No special privileges are required beyond the ability to perform xattr operations on the filesystem [2]. ].
Impact
An attacker can cause a refcount underflow, leading to filesystem corruption and potential denial of service. The kernel may emit error messages and the filesystem may become inconsistent, potentially requiring fsck to repair. The underflow can also lead to orphan inode cleanup churn [1].
Mitigation
The fix adds an explicit check: if the current refcount is non-positive, treat it as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. The WARN_ONCE() is removed as negative refcounts are now impossible. The patch has been applied to the stable kernel tree [1][2][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
8ea39e712c2f51cfb3e4ddbdc505e69f76ac43d626902824679ea7f3e11ef6b879c4c6bba440b003f449a57295e835408Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814nvd
- git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631nvd
- git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943nvd
- git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8nvd
- git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888nvd
- git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165envd
- git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278nvd
- git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002nvd
News mentions
0No linked articles in our index yet.