CVE-2025-22121
📋 TL;DR
This is a use-after-free vulnerability in the Linux kernel's ext4 filesystem driver that allows reading kernel memory beyond allocated bounds. It affects Linux systems using ext4 filesystems and can lead to kernel crashes or potential privilege escalation. The vulnerability occurs during extended attribute cleanup operations when deleting inodes.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash, or potential privilege escalation to root if combined with other vulnerabilities.
Likely Case
System instability, kernel crashes, or denial of service due to memory corruption.
If Mitigated
Limited to denial of service if proper kernel hardening and isolation are in place.
🎯 Exploit Status
Requires local access and ability to trigger specific filesystem operations. KASAN detection suggests it was found through fuzzing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 098927a13fd918bd7c64c2de905350a1ad7b4a3a or later
Vendor Advisory: https://git.kernel.org/stable/c/098927a13fd918bd7c64c2de905350a1ad7b4a3a
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable extended attributes on ext4
linuxMount ext4 filesystems with 'no_user_xattr' option to disable extended attribute support
mount -o remount,no_user_xattr /mount/point
Use alternative filesystem
linuxUse XFS, Btrfs, or other filesystems instead of ext4 for critical partitions
🧯 If You Can't Patch
- Restrict local user access to minimize attack surface
- Implement strict SELinux/AppArmor policies to limit filesystem operations
🔍 How to Verify
Check if Vulnerable:
Check kernel version and verify if it includes the vulnerable ext4_xattr_inode_dec_ref_all() function without the fixCheck Version:
uname -rVerify Fix Applied:
Verify kernel version includes commit 098927a13fd918bd7c64c2de905350a1ad7b4a3a or check for xattr_check_inode() calls in ext4_iget_extra_inode()📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- KASAN reports mentioning ext4_xattr_inode_dec_ref_all
- System crashes during filesystem operations
SIEM Query:
source="kernel" AND ("KASAN" OR "use-after-free" OR "ext4_xattr")🔗 References
- https://git.kernel.org/stable/c/098927a13fd918bd7c64c2de905350a1ad7b4a3a
- https://git.kernel.org/stable/c/0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8
- https://git.kernel.org/stable/c/27202452b0bc942fdc3db72a44c4dcdab96d5b56
- https://git.kernel.org/stable/c/3c591353956ffcace2cc74d09930774afed60619
- https://git.kernel.org/stable/c/5701875f9609b000d91351eaa6bfd97fe2f157f4
- https://git.kernel.org/stable/c/b374e9ecc92aaa7fb2ab221ee3ff5451118ab566
- https://git.kernel.org/stable/c/c000a8a9b5343a5ef867df173c6349672dacbd0f
