CVE-2025-23150: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one error in do_split Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The following loop is located right above 'if' statement. for (i = count-1; i >= 0; i--) { /* is more than half of this entry in 2nd half of the block? */ if (size + map[i].size/2 > blocksize/2) break; size += map[i].size; move++; } 'i' in this case could go down to -1, in which case sum of active entries wouldn't exceed half the block size, but previous behaviour would also do split in half if sum would exceed at the very last block, which in case of having too many long name files in a single block could lead to out-of-bounds access and following use-after-free. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI Analysis
Technical Summary
CVE-2025-23150 is a vulnerability identified in the Linux kernel's ext4 filesystem implementation, specifically within the do_split function used during directory entry insertion (ext4_insert_dentry). The flaw is an off-by-one error that leads to an out-of-bounds memory access and subsequent use-after-free condition. This vulnerability was discovered through fuzz testing with Syzkaller, a kernel fuzzer, and reported by the Linux Verification Center. The root cause lies in the logic of a loop that iterates over directory entries to determine how to split directory blocks when inserting new entries. The loop counter 'i' can decrement to -1, causing the code to incorrectly handle the splitting of directory blocks when there are many long-named files in a single block. This results in memory corruption due to accessing memory beyond allocated bounds and freeing memory that is still in use. The kernel's Kernel Address Sanitizer (KASAN) detected this use-after-free during testing, indicating a serious memory safety issue. The vulnerability affects multiple recent Linux kernel versions, including various commits referenced by their hashes. The flaw is located in ext4's namei.c source file, which handles filesystem path name resolution and directory entry management. No known exploits are reported in the wild as of the publication date (May 1, 2025), and no CVSS score has been assigned yet. The vulnerability could potentially be triggered by local users or processes that perform filesystem operations involving symlinks or directory modifications on ext4 filesystems. The issue has been addressed by correcting the loop condition and splitting logic to prevent out-of-bounds access and use-after-free errors.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux with ext4 filesystems, which are widely used in servers, desktops, and embedded devices. Exploitation could allow local attackers or compromised processes to cause kernel crashes (denial of service) or potentially escalate privileges by corrupting kernel memory. This could lead to system instability, data corruption, or unauthorized access to sensitive information. Given the prevalence of Linux in critical infrastructure, cloud services, and enterprise environments across Europe, the impact could extend to service outages and compromise of confidential data. Organizations relying on ext4 for storage in data centers or cloud platforms may face operational disruptions. Moreover, the vulnerability could be leveraged as part of multi-stage attacks targeting Linux-based systems. Although no public exploits are known yet, the use-after-free nature of the bug makes it a candidate for exploitation by skilled attackers. The impact on confidentiality, integrity, and availability is therefore high, especially if combined with other vulnerabilities or misconfigurations.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that fix the off-by-one error in do_split and the use-after-free in ext4_insert_dentry as soon as they are released and tested for your environment. 2. Kernel version management: Upgrade to a Linux kernel version that includes the fix for CVE-2025-23150. Monitor kernel mailing lists and vendor advisories for updates. 3. Restrict local access: Limit local user privileges and access to systems running vulnerable kernels to reduce the risk of exploitation by untrusted users or processes. 4. Filesystem monitoring: Implement monitoring for unusual filesystem activity, especially related to directory modifications and symlink creation, which could indicate attempts to trigger the vulnerability. 5. Use security modules: Employ Linux Security Modules (LSMs) such as SELinux or AppArmor to enforce strict access controls on filesystem operations. 6. Testing and validation: Before deploying kernel updates, conduct thorough testing in staging environments to ensure stability and compatibility. 7. Incident response readiness: Prepare for potential exploitation by having incident response plans and forensic capabilities to detect and respond to kernel-level compromises. 8. Avoid untrusted code execution: Prevent execution of untrusted or malicious code that could attempt to exploit this vulnerability locally.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-23150: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one error in do_split Syzkaller detected a use-after-free issue in ext4_insert_dentry that was caused by out-of-bounds access due to incorrect splitting in do_split. BUG: KASAN: use-after-free in ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 Write of size 251 at addr ffff888074572f14 by task syz-executor335/5847 CPU: 0 UID: 0 PID: 5847 Comm: syz-executor335 Not tainted 6.12.0-rc6-syzkaller-00318-ga9cda7c0ffed #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 ext4_insert_dentry+0x36a/0x6d0 fs/ext4/namei.c:2109 add_dirent_to_buf+0x3d9/0x750 fs/ext4/namei.c:2154 make_indexed_dir+0xf98/0x1600 fs/ext4/namei.c:2351 ext4_add_entry+0x222a/0x25d0 fs/ext4/namei.c:2455 ext4_add_nondir+0x8d/0x290 fs/ext4/namei.c:2796 ext4_symlink+0x920/0xb50 fs/ext4/namei.c:3431 vfs_symlink+0x137/0x2e0 fs/namei.c:4615 do_symlinkat+0x222/0x3a0 fs/namei.c:4641 __do_sys_symlink fs/namei.c:4662 [inline] __se_sys_symlink fs/namei.c:4660 [inline] __x64_sys_symlink+0x7a/0x90 fs/namei.c:4660 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> The following loop is located right above 'if' statement. for (i = count-1; i >= 0; i--) { /* is more than half of this entry in 2nd half of the block? */ if (size + map[i].size/2 > blocksize/2) break; size += map[i].size; move++; } 'i' in this case could go down to -1, in which case sum of active entries wouldn't exceed half the block size, but previous behaviour would also do split in half if sum would exceed at the very last block, which in case of having too many long name files in a single block could lead to out-of-bounds access and following use-after-free. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
AI-Powered Analysis
Technical Analysis
CVE-2025-23150 is a vulnerability identified in the Linux kernel's ext4 filesystem implementation, specifically within the do_split function used during directory entry insertion (ext4_insert_dentry). The flaw is an off-by-one error that leads to an out-of-bounds memory access and subsequent use-after-free condition. This vulnerability was discovered through fuzz testing with Syzkaller, a kernel fuzzer, and reported by the Linux Verification Center. The root cause lies in the logic of a loop that iterates over directory entries to determine how to split directory blocks when inserting new entries. The loop counter 'i' can decrement to -1, causing the code to incorrectly handle the splitting of directory blocks when there are many long-named files in a single block. This results in memory corruption due to accessing memory beyond allocated bounds and freeing memory that is still in use. The kernel's Kernel Address Sanitizer (KASAN) detected this use-after-free during testing, indicating a serious memory safety issue. The vulnerability affects multiple recent Linux kernel versions, including various commits referenced by their hashes. The flaw is located in ext4's namei.c source file, which handles filesystem path name resolution and directory entry management. No known exploits are reported in the wild as of the publication date (May 1, 2025), and no CVSS score has been assigned yet. The vulnerability could potentially be triggered by local users or processes that perform filesystem operations involving symlinks or directory modifications on ext4 filesystems. The issue has been addressed by correcting the loop condition and splitting logic to prevent out-of-bounds access and use-after-free errors.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to systems running Linux with ext4 filesystems, which are widely used in servers, desktops, and embedded devices. Exploitation could allow local attackers or compromised processes to cause kernel crashes (denial of service) or potentially escalate privileges by corrupting kernel memory. This could lead to system instability, data corruption, or unauthorized access to sensitive information. Given the prevalence of Linux in critical infrastructure, cloud services, and enterprise environments across Europe, the impact could extend to service outages and compromise of confidential data. Organizations relying on ext4 for storage in data centers or cloud platforms may face operational disruptions. Moreover, the vulnerability could be leveraged as part of multi-stage attacks targeting Linux-based systems. Although no public exploits are known yet, the use-after-free nature of the bug makes it a candidate for exploitation by skilled attackers. The impact on confidentiality, integrity, and availability is therefore high, especially if combined with other vulnerabilities or misconfigurations.
Mitigation Recommendations
1. Immediate patching: Apply the official Linux kernel patches that fix the off-by-one error in do_split and the use-after-free in ext4_insert_dentry as soon as they are released and tested for your environment. 2. Kernel version management: Upgrade to a Linux kernel version that includes the fix for CVE-2025-23150. Monitor kernel mailing lists and vendor advisories for updates. 3. Restrict local access: Limit local user privileges and access to systems running vulnerable kernels to reduce the risk of exploitation by untrusted users or processes. 4. Filesystem monitoring: Implement monitoring for unusual filesystem activity, especially related to directory modifications and symlink creation, which could indicate attempts to trigger the vulnerability. 5. Use security modules: Employ Linux Security Modules (LSMs) such as SELinux or AppArmor to enforce strict access controls on filesystem operations. 6. Testing and validation: Before deploying kernel updates, conduct thorough testing in staging environments to ensure stability and compatibility. 7. Incident response readiness: Prepare for potential exploitation by having incident response plans and forensic capabilities to detect and respond to kernel-level compromises. 8. Avoid untrusted code execution: Prevent execution of untrusted or malicious code that could attempt to exploit this vulnerability locally.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-01-11T14:28:41.513Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9820c4522896dcbdd453
Added to database: 5/21/2025, 9:08:48 AM
Last enriched: 7/3/2025, 10:11:24 PM
Last updated: 8/15/2025, 7:21:01 PM
Views: 30
Related Threats
CVE-2025-8719: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in reubenthiessen Translate This gTranslate Shortcode
MediumCVE-2025-8464: CWE-23 Relative Path Traversal in glenwpcoder Drag and Drop Multiple File Upload for Contact Form 7
MediumCVE-2025-7499: CWE-862 Missing Authorization in wpdevteam BetterDocs – Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers
MediumCVE-2025-8898: CWE-862 Missing Authorization in magepeopleteam E-cab Taxi Booking Manager for Woocommerce
CriticalCVE-2025-8896: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cozmoslabs User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.