VDB

DEBIAN-CVE-2025-40190

DEBIAN-CVE-2025-40190 PUBLISHED CVSS 8.699999809265137 HIGH

In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn.

Risk Scores

CVSS 4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
Debian:11linux-6.1*, 6.1.153-1, 6.1.148-1
Debian:14linux6.14.5-1~exp1, 6.14.6-1~exp1, 6.15-1~exp1
Debian:11linux5.10.221-1, 0, 5.10.103-1
Debian:12linux6.1.52-1, 6.1.38-3, 6.1.38-2~bpo11+1
Debian:13linux6.12.41-1, 0, 6.12.38-1

Exploit Intelligence

Timeline

  • Nov 12, 2025 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›