CVE-2025-68264
Description
In the Linux kernel, the following vulnerability has been resolved:
ext4: refresh inline data size before write operations
The cached ei->i_inline_size can become stale between the initial size check and when ext4_update_inline_data()/ext4_create_inline_data() use it. Although ext4_get_max_inline_size() reads the correct value at the time of the check, concurrent xattr operations can modify i_inline_size before ext4_write_lock_xattr() is acquired.
This causes ext4_update_inline_data() and ext4_create_inline_data() to work with stale capacity values, leading to a BUG_ON() crash in ext4_write_inline_data():
kernel BUG at fs/ext4/inline.c:1331! BUG_ON(pos + len > EXT4_I(inode)->i_inline_size);
The race window: 1. ext4_get_max_inline_size() reads i_inline_size = 60 (correct) 2. Size check passes for 50-byte write 3. [Another thread adds xattr, i_inline_size changes to 40] 4. ext4_write_lock_xattr() acquires lock 5. ext4_update_inline_data() uses stale i_inline_size = 60 6. Attempts to write 50 bytes but only 40 bytes actually available 7. BUG_ON() triggers
Fix this by recalculating i_inline_size via ext4_find_inline_data_nolock() immediately after acquiring xattr_sem. This ensures ext4_update_inline_data() and ext4_create_inline_data() work with current values that are protected from concurrent modifications.
This is similar to commit a54c4613dac1 ("ext4: fix race writing to an inline_data file while its xattrs are changing") which fixed i_inline_off staleness. This patch addresses the related i_inline_size staleness issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Race condition in Linux ext4 inline data write path can cause kernel crash due to stale i_inline_size; fixed by recalculating after locking.
In the Linux kernel ext4 filesystem, a race condition exists in the inline data write path. The cached ei->i_inline_size can become stale between the initial size check and the actual write operations (ext4_update_inline_data()/ext4_create_inline_data()). This leads to a BUG_ON crash in ext4_write_inline_data() when the write length exceeds the actual available inline size. The issue is similar to a previous fix for i_inline_off staleness (commit a54c4613dac1).
Exploitation of this vulnerability requires a local attacker with write access to an ext4 filesystem using inline data and the ability to perform concurrent xattr operations. The race window is between the size check and the acquisition of the xattr semaphore. An attacker can modify xattrs to shrink i_inline_size while a write is in progress, triggering the BUG_ON.
The impact is a denial of service via kernel crash. No privilege escalation or data corruption has been reported. The bug is triggered by legitimate filesystem operations, making it a reliability issue.
The fix has been applied to stable kernel branches via commits [1][2][3][4]. Users should update to kernels containing these patches. The fix recalculates the inline size via ext4_find_inline_data_nolock() after acquiring the xattr semaphore, ensuring the size is current and protected from concurrent modification.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/1687a055a555347b002f406676a1aaae4668f242nvd
- git.kernel.org/stable/c/210ac60a86a3ad2c76ae60e0dc71c34af6e7ea0bnvd
- git.kernel.org/stable/c/43bf001f0fe4e59bba47c897505222f959f4a1ccnvd
- git.kernel.org/stable/c/54ab81ae5f218452e64470cd8a8139bb5880fe2bnvd
- git.kernel.org/stable/c/58df743faf21ceb1880f930aa5dd428e2a5e415dnvd
- git.kernel.org/stable/c/892e1cf17555735e9d021ab036c36bc7b58b0e3bnvd
- git.kernel.org/stable/c/89c2c41f0974e530b2d032c3695095aa0559adb1nvd
- git.kernel.org/stable/c/ca43ea29b4c4d2764aec8a26cffcfb677a871e6envd
News mentions
0No linked articles in our index yet.