CVE-2025-40198

Vulnerability

In the Linux kernel's ext4 filesystem, the parse_apply_sb_mount_options() function reads the s_mount_opts field from the superblock to process mount options. Unlike other strings in the ext4 superblock, s_mount_opts is not guaranteed to be NUL-terminated; the kernel relies on tune2fs to ensure proper termination. This missing guarantee creates a potential buffer over-read when the function processes the string without bounds checking [1].

Exploitation

An attacker would need the ability to craft a malicious ext4 filesystem image with a s_mount_opts field that does not contain a NUL terminator within the expected size. When the filesystem is mounted (either by a local user with mount privileges or by the system automatically), the parse_apply_sb_mount_options() function may read beyond the intended buffer, leaking out-of-bounds kernel memory or triggering undefined behavior. No authentication is required beyond the ability to mount the crafted filesystem [1][2].

Impact

Successful exploitation could lead to information disclosure (reading kernel memory beyond the buffer) or a system crash (denial of service). In some scenarios, it might be leveraged for further attacks if the over-read reveals sensitive data such as kernel pointers or other protected information. The vulnerability does not directly provide arbitrary code execution, but the information leak could aid in bypassing mitigations like KASLR [1][3].

Mitigation

The fix patches parse_apply_sb_mount_options() to treat s_mount_opts as a potential __nonstring, ensuring that the kernel explicitly handles the lack of guaranteed NUL termination by using bounded string operations. The commits have been applied to the stable kernel tree, and system administrators should apply the latest kernel updates to remediate this issue [1][2][3].