CVE-2025-68820

Vulnerability

Overview

In the Linux kernel's ext4 filesystem driver, the function ext4_xattr_inode_dec_ref_all() calls ext4_get_inode_loc() to obtain the inode buffer head. If that call fails (e.g., due to filesystem corruption returning -EFSCORRUPTED), the buffer head pointer iloc.bh remains NULL. The code then proceeds to call ext4_raw_inode() without checking for this failure, which dereferences the NULL pointer, causing a kernel crash (denial of service) [1].

Attack

Vector and Prerequisites

The vulnerability is triggered by attempting to access extended attributes on a corrupted ext4 filesystem. No special privileges are required beyond mounting and accessing the filesystem; an attacker who can induce or exploit filesystem corruption (e.g., via physical access, compromised storage, or a crafted image) can cause the kernel to panic [1]. The issue was discovered by the Linux Verification Center using the SVACE static analysis tool [2].

Impact

A successful exploit leads to a null pointer dereference in kernel space, resulting in a system crash (denial of service). There is no indication of memory corruption or privilege escalation. The impact is limited to availability, as the attacker cannot execute arbitrary code or bypass security boundaries [1].

Mitigation

Status

The fix has been applied to the stable kernel trees, as shown in commits [1], [2], and [3]. Users should update their kernels to versions containing this patch (e.g., later releases of the 5.x and 6.x series). No workaround is available other than avoiding access to corrupted ext4 filesystems or applying the kernel update [1].