CVE-2025-22113: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shutdown_super sync_filesystem /* commits all txns */ evict_inodes /* might start a new txn */ ext4_put_super flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ jbd2_journal_destroy journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; jbd2_journal_commit_transaction jbd2_journal_get_descriptor_buffer jbd2_journal_bmap ext4_journal_bmap ext4_map_blocks ... ext4_inode_error ext4_handle_error schedule_work(&sbi->s_sb_upd_work) /* work queue kicks in */ update_super_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT) Hence, introduce a new mount flag to indicate journal is destroying and only do a journaled (and deferred) update of sb if this flag is not set. Otherwise, just fallback to an un-journaled commit. Further, in the journal destroy path, we have the following sequence: 1. Set mount flag indicating journal is destroying 2. force a commit and wait for it 3. flush pending sb updates This sequence is important as it ensures that, after this point, there is no sb update that might be journaled so it is safe to update the sb outside the journal. (To avoid race discussed in 2d01ddc86606) Also, we don't need a similar check in ext4_grp_locked_error since it is only called from mballoc and AFAICT it would be always valid to schedule work here.
AI Analysis
Technical Summary
CVE-2025-22113 is a vulnerability identified in the Linux kernel's ext4 filesystem journaling mechanism. The issue arises during the unmount process when the ext4 filesystem's journal is being destroyed. Normally, the kernel uses a journaling mechanism (JBD2) to ensure filesystem consistency by recording changes before they are committed. The vulnerability occurs because the kernel attempts to start a new journaling transaction even after the journal has been marked as destroyed (JBD2_UNMOUNT flag set). This happens due to a race condition in the error handling paths triggered during unmounting, specifically within the update_super_work function that performs superblock updates asynchronously via a workqueue. When the journal is destroyed, the kernel should never start new transactions, but under certain error conditions, it does, leading to a BUG_ON assertion failure and potential kernel panic or system crash. To mitigate this, the patch introduces a new mount flag indicating the journal is destroying, which prevents deferred journaled updates of the superblock once set. Instead, it falls back to un-journaled commits, ensuring safe superblock updates without triggering the BUG_ON. The patch also enforces a strict sequence during journal destruction: setting the flag, forcing a commit and waiting for it, then flushing pending superblock updates. This sequence guarantees no further journaled superblock updates occur after the journal is destroyed, preventing race conditions and system instability. This vulnerability affects Linux kernel versions containing the specified commit (2d01ddc86606564fb08c56e3bc93a0693895f710) and likely impacts all ext4 filesystems using journaling on affected kernels prior to the patch. While no known exploits are reported in the wild, the vulnerability can cause denial of service via kernel crashes during unmount operations, especially under stress or error conditions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial of service (DoS) due to kernel panics or system crashes when unmounting ext4 filesystems under error conditions. Many European enterprises and public sector organizations rely heavily on Linux servers running ext4, especially in cloud infrastructure, data centers, and critical systems. A crash during unmount could disrupt services, cause data loss if unclean shutdowns occur, and impact availability of critical applications. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability can affect operational continuity. Organizations running high-availability Linux environments or those using ext4 on embedded or IoT devices may face increased risk if the kernel version is vulnerable and the system undergoes frequent mount/unmount cycles or stress testing. The lack of known exploits suggests low immediate threat, but the potential for accidental crashes or targeted DoS attacks exploiting this race condition remains a concern. Given the widespread use of ext4 in Europe, especially in enterprise Linux distributions, the impact could be significant if unpatched systems are exposed in production environments.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch addressing CVE-2025-22113. Specifically, ensure that the kernel version contains the fix that introduces the new mount flag to prevent journaling after journal destruction. System administrators should audit their environments to identify ext4 filesystems in use and verify kernel versions against the patched commit. For critical systems, perform controlled unmount operations and monitor kernel logs for any BUG_ON or panic messages related to journaling. Additionally, organizations should implement robust backup and recovery procedures to mitigate potential data loss from unexpected crashes. In environments where immediate patching is not feasible, consider reducing unmount operations or stress testing that could trigger the vulnerability. Engage with Linux distribution vendors for timely security updates and apply them promptly. Finally, incorporate this vulnerability into incident response plans to quickly address any stability issues arising from this flaw.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-22113: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shutdown_super sync_filesystem /* commits all txns */ evict_inodes /* might start a new txn */ ext4_put_super flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ jbd2_journal_destroy journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; jbd2_journal_commit_transaction jbd2_journal_get_descriptor_buffer jbd2_journal_bmap ext4_journal_bmap ext4_map_blocks ... ext4_inode_error ext4_handle_error schedule_work(&sbi->s_sb_upd_work) /* work queue kicks in */ update_super_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT) Hence, introduce a new mount flag to indicate journal is destroying and only do a journaled (and deferred) update of sb if this flag is not set. Otherwise, just fallback to an un-journaled commit. Further, in the journal destroy path, we have the following sequence: 1. Set mount flag indicating journal is destroying 2. force a commit and wait for it 3. flush pending sb updates This sequence is important as it ensures that, after this point, there is no sb update that might be journaled so it is safe to update the sb outside the journal. (To avoid race discussed in 2d01ddc86606) Also, we don't need a similar check in ext4_grp_locked_error since it is only called from mballoc and AFAICT it would be always valid to schedule work here.
AI-Powered Analysis
Technical Analysis
CVE-2025-22113 is a vulnerability identified in the Linux kernel's ext4 filesystem journaling mechanism. The issue arises during the unmount process when the ext4 filesystem's journal is being destroyed. Normally, the kernel uses a journaling mechanism (JBD2) to ensure filesystem consistency by recording changes before they are committed. The vulnerability occurs because the kernel attempts to start a new journaling transaction even after the journal has been marked as destroyed (JBD2_UNMOUNT flag set). This happens due to a race condition in the error handling paths triggered during unmounting, specifically within the update_super_work function that performs superblock updates asynchronously via a workqueue. When the journal is destroyed, the kernel should never start new transactions, but under certain error conditions, it does, leading to a BUG_ON assertion failure and potential kernel panic or system crash. To mitigate this, the patch introduces a new mount flag indicating the journal is destroying, which prevents deferred journaled updates of the superblock once set. Instead, it falls back to un-journaled commits, ensuring safe superblock updates without triggering the BUG_ON. The patch also enforces a strict sequence during journal destruction: setting the flag, forcing a commit and waiting for it, then flushing pending superblock updates. This sequence guarantees no further journaled superblock updates occur after the journal is destroyed, preventing race conditions and system instability. This vulnerability affects Linux kernel versions containing the specified commit (2d01ddc86606564fb08c56e3bc93a0693895f710) and likely impacts all ext4 filesystems using journaling on affected kernels prior to the patch. While no known exploits are reported in the wild, the vulnerability can cause denial of service via kernel crashes during unmount operations, especially under stress or error conditions.
Potential Impact
For European organizations, this vulnerability poses a risk primarily of denial of service (DoS) due to kernel panics or system crashes when unmounting ext4 filesystems under error conditions. Many European enterprises and public sector organizations rely heavily on Linux servers running ext4, especially in cloud infrastructure, data centers, and critical systems. A crash during unmount could disrupt services, cause data loss if unclean shutdowns occur, and impact availability of critical applications. Although this vulnerability does not appear to allow privilege escalation or remote code execution, the resulting instability can affect operational continuity. Organizations running high-availability Linux environments or those using ext4 on embedded or IoT devices may face increased risk if the kernel version is vulnerable and the system undergoes frequent mount/unmount cycles or stress testing. The lack of known exploits suggests low immediate threat, but the potential for accidental crashes or targeted DoS attacks exploiting this race condition remains a concern. Given the widespread use of ext4 in Europe, especially in enterprise Linux distributions, the impact could be significant if unpatched systems are exposed in production environments.
Mitigation Recommendations
European organizations should prioritize updating their Linux kernels to versions that include the patch addressing CVE-2025-22113. Specifically, ensure that the kernel version contains the fix that introduces the new mount flag to prevent journaling after journal destruction. System administrators should audit their environments to identify ext4 filesystems in use and verify kernel versions against the patched commit. For critical systems, perform controlled unmount operations and monitor kernel logs for any BUG_ON or panic messages related to journaling. Additionally, organizations should implement robust backup and recovery procedures to mitigate potential data loss from unexpected crashes. In environments where immediate patching is not feasible, consider reducing unmount operations or stress testing that could trigger the vulnerability. Engage with Linux distribution vendors for timely security updates and apply them promptly. Finally, incorporate this vulnerability into incident response plans to quickly address any stability issues arising from this flaw.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.821Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe8192
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 9:27:13 PM
Last updated: 8/19/2025, 12:28:31 PM
Views: 21
Related Threats
CVE-2025-52351: n/a
HighCVE-2025-52352: n/a
HighPre-Auth Exploit Chains Found in Commvault Could Enable Remote Code Execution Attacks
HighCVE-2025-7051: CWE-284 in N-able N-central
HighCVE-2025-57768: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Alanaktion phproject
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.