CVE-2025-37738 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
ext4: ignore xattrs past end
Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry.
This fixes the following KASAN reported issue:
================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065
CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001
The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168)
The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated---
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/15/2026
The vulnerability identified as CVE-2025-37738 resides within the Linux kernel's ext4 file system implementation, specifically in the handling of extended attributes. This flaw manifests as a use-after-free error during the execution of the function ext4_xattr_inode_dec_ref_all, which is responsible for decrementing reference counts on extended attribute inodes. The issue arises when the kernel attempts to process extended attribute entries beyond a defined boundary, referred to as the 'end' entry, leading to access of memory that has already been freed. Such behavior is indicative of a classic memory safety issue and can result in system instability or potential exploitation by malicious actors.
The technical root cause of this vulnerability is tied to improper bounds checking within the extended attribute processing logic. When the kernel iterates through extended attribute entries, it fails to validate whether the current entry lies within the valid range defined by the 'end' marker. This oversight leads to the kernel dereferencing pointers that point to memory regions that have already been deallocated, thereby triggering a slab-use-after-free condition as reported by KASAN. The specific memory access pattern shows that the kernel attempts to read a 4-byte value from an address that belongs to a freed slab object, which is a clear indicator of memory corruption. According to CWE-416, this vulnerability maps directly to use-after-free conditions, which are a common class of vulnerabilities in kernel space where memory is accessed after it has been freed.
The operational impact of this vulnerability extends beyond simple system crashes, as it can enable privilege escalation or denial of service attacks. The nature of the bug allows for arbitrary memory access, which can be leveraged to corrupt kernel data structures or potentially execute arbitrary code with kernel privileges. The call trace demonstrates that this vulnerability is triggered during inode eviction, which is a common operation when files are deleted or when the system is under memory pressure. This makes the vulnerability particularly dangerous as it can be exploited through normal file system operations, and the attack surface is broad, affecting any system running an affected kernel version.
Mitigation strategies for CVE-2025-37738 must focus on ensuring that all extended attribute processing respects boundary conditions and prevents access to freed memory regions. The fix implemented in the kernel involves adding a check to ignore extended attribute entries that lie beyond the 'end' marker, effectively preventing the use-after-free scenario. System administrators should immediately apply the relevant kernel updates to address this vulnerability. Additionally, monitoring for KASAN reports and other memory corruption indicators can help detect exploitation attempts. From an ATT&CK perspective, this vulnerability aligns with techniques involving privilege escalation and defense evasion, as it can be used to bypass memory protection mechanisms and potentially establish persistent access to systems. Organizations should also consider implementing kernel hardening measures such as stack canaries and control flow integrity to reduce the impact of similar vulnerabilities. The fix demonstrates the importance of robust input validation and boundary checking in kernel code, particularly when handling complex data structures like extended attributes that may be subject to manipulation by user-space processes.