Vulnerability in Linux Kernel Affecting EXT4 Filesystem
CVE-2025-40167

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 12 November 2025

What is CVE-2025-40167?

A vulnerability exists in the Linux kernel's ext4 filesystem where an inode improperly holds both INLINE_DATA and EXTENTS flags. This invalid combination prevents the system from correctly validating extent trees during inode retrieval. Subsequently, it leads to a situation where out-of-order extents can trigger a BUG_ON error due to integer underflow when determining hole sizes. The fix involves early detection of this flag conflict in the ext4_iget() function, rejecting the corrupted inode to maintain filesystem integrity.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 4954d297c91d292630ab43ba4d195dc371ce65d3

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 2e9e10657b04152ed0d6ecae8d0c02a3405e28f5

References

https://git.kernel.org/stable/c/4954d297c91d292630ab43ba4...

https://git.kernel.org/stable/c/f061f7c331fc16250fc82aa68...

https://git.kernel.org/stable/c/2e9e10657b04152ed0d6ecae8...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2025
Vulnerability Reserved
Apr 16, 2025

JSON