CVE-2025-23150 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix off-by-one error in do_split

Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split.

BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847

CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline]
__se_sys_symlink fs/namei.c:4660 [inline]
__x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK>

The following loop is located right above 'if' statement.

for (i = count-1; i >= 0; i--) {
/* is more than half of this entry in 2nd half of the block? */ if (size + map[i].size/2 > blocksize/2)
break; size += map[i].size;
move++; }

'i' in this case could go down to -1, in which case sum of active entries wouldn't exceed half the block size, but previous behaviour would also do split in half if sum would exceed at the very last block, which in case of having too many long name files in a single block could lead to out-of-bounds access and following use-after-free.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 03/15/2026

The vulnerability CVE-2025-23150 represents a critical off-by-one error within the ext4 filesystem implementation of the Linux kernel, specifically in the do_split function responsible for managing directory entry splitting operations. This flaw manifests as a use-after-free condition that occurs during the execution of ext4_insert_dentry, a function that handles the insertion of directory entries. The issue was identified through systematic kernel fuzzing using Syzkaller, a powerful automated testing tool that has become instrumental in discovering memory safety vulnerabilities in kernel code. The vulnerability operates through a subtle boundary condition where loop variable 'i' can decrement to -1, causing incorrect splitting behavior that leads to out-of-bounds memory access patterns.

The technical root cause stems from improper loop boundary handling in the directory entry splitting algorithm where the iteration variable 'i' can fall below zero, creating a scenario where memory operations occur beyond allocated buffer boundaries. When processing directory entries containing long filenames, the algorithm calculates whether entries should be split based on block size thresholds, but the loop condition fails to properly account for the case where all entries might be moved, causing the index to underflow. This specific condition triggers a write operation at address 0xffff888074572f14, which corresponds to a memory location that has already been freed, resulting in a use-after-free scenario that can potentially be exploited by malicious actors. The flaw is particularly dangerous because it occurs during symlink creation operations, which are common system calls that can be invoked by unprivileged users.

The operational impact of this vulnerability extends beyond simple memory corruption, as it can potentially enable privilege escalation or system instability through controlled exploitation of the use-after-free condition. The vulnerability affects systems running Linux kernel versions that include the affected ext4 filesystem implementation, making it a widespread concern across various server and desktop environments. Attackers could potentially leverage this flaw to execute arbitrary code with kernel privileges, leading to complete system compromise. The issue was discovered during kernel verification activities conducted by the Linux Verification Center, highlighting the importance of continuous security auditing in kernel code. This vulnerability directly relates to CWE-129, which addresses improper validation of array indices, and aligns with ATT&CK technique T1068, which covers the exploitation of privilege escalation vulnerabilities in operating systems.

Mitigation strategies for CVE-2025-23150 should prioritize immediate kernel updates from trusted sources, as the fix has been implemented in kernel versions following the release containing the vulnerable code. System administrators should also consider implementing additional monitoring for suspicious filesystem operations and memory access patterns that could indicate exploitation attempts. The fix involves correcting the loop boundary conditions in the do_split function to prevent the index variable from underflowing, ensuring that the splitting algorithm properly validates all boundary conditions before performing memory operations. Organizations should also conduct comprehensive vulnerability assessments to identify systems running affected kernel versions and implement proper patch management procedures to ensure timely deployment of security fixes. The vulnerability demonstrates the critical importance of thorough boundary condition validation in kernel-level code, particularly when handling filesystem operations that involve complex memory management and buffer manipulation.

Responsible

Linux

Reservation

01/11/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00171

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!