Ext4 Filesystem Vulnerability in Linux Kernel by Open Source Vendor
CVE-2025-40190

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 12 November 2025

What is CVE-2025-40190?

A vulnerability in the ext4 filesystem has been identified where the function ext4_xattr_inode_update_ref() can read an EA inode refcount that is already non-positive. This leads to a scenario where the reference count may underflow, resulting in critical filesystem errors. If the current refcount is found to be non-positive, the system will treat this as on-disk corruption and will appropriately fail the operation to prevent further erroneous behavior. This change improves the filesystem's integrity and stability by eliminating the potential for bogus refcount values and related cleanup issues.

Affected Version(s)

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 1cfb3e4ddbdc8e02e637b8852540bd4718bf4814

Linux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 505e69f76ac497e788f4ea0267826ec7266b40c8

References

https://git.kernel.org/stable/c/ea39e712c2f5ae148ee551579...

https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852...

https://git.kernel.org/stable/c/505e69f76ac497e788f4ea026...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 12, 2025
Vulnerability Reserved
Apr 16, 2025

JSON