CVE-2025-37738: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: ext4: ignore xattrs past end Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry. This fixes the following KASAN reported issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065 CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 </TASK> The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated---
AI Analysis
Technical Summary
CVE-2025-37738 is a vulnerability identified in the Linux kernel's ext4 filesystem implementation, specifically within the extended attributes (xattrs) handling code. The flaw occurs in the function ext4_xattr_inode_dec_ref_all, which is responsible for decrementing reference counts on xattr inodes. The vulnerability arises because the function does not properly ignore xattr entries that extend beyond the designated 'end' entry, leading to a use-after-free condition. This was detected by Kernel Address Sanitizer (KASAN), which reported a slab-use-after-free error when the function attempted to read memory that had already been freed. The root cause is that the code accesses xattr entries past the valid boundary, causing it to reference freed memory regions. This can lead to undefined behavior including memory corruption, kernel crashes (denial of service), or potentially privilege escalation if exploited by a local attacker. The vulnerability affects multiple versions of the Linux kernel as indicated by the repeated affected version hashes, and it was patched by ensuring that xattr entries beyond the 'end' marker are ignored, preventing the use-after-free condition. The detailed kernel stack trace and memory dump confirm the out-of-bounds read and use of freed memory. No known public exploits have been reported yet, and no CVSS score has been assigned at the time of publication. The vulnerability requires local access to the system to trigger, as it involves filesystem operations on ext4 volumes.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and systems running Linux with ext4 filesystems, which are widely used across enterprise, cloud, and hosting environments. Exploitation could allow local attackers or malicious processes to cause kernel crashes, resulting in denial of service and potential data loss or corruption. More critically, if leveraged in a crafted attack, it could enable privilege escalation, allowing attackers to gain root-level access and compromise system integrity and confidentiality. This is particularly concerning for critical infrastructure, financial institutions, government agencies, and large enterprises that rely heavily on Linux-based servers. The vulnerability could disrupt services, lead to unauthorized data access, and facilitate lateral movement within networks. Given the prevalence of Linux in European data centers and cloud providers, the impact could be widespread if not mitigated promptly.
Mitigation Recommendations
Organizations should prioritize updating their Linux kernel to the patched versions that address CVE-2025-37738. Since the vulnerability is in the ext4 filesystem code, kernel updates from trusted Linux distributions should be applied as soon as they become available. Additionally, organizations should: 1) Audit and restrict local user access to minimize the risk of exploitation by unprivileged users. 2) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 3) Monitor system logs for unusual ext4 filesystem errors or kernel warnings that might indicate attempted exploitation. 4) Use mandatory access controls (e.g., SELinux, AppArmor) to limit the capabilities of processes interacting with the filesystem. 5) For critical systems, consider isolating or sandboxing services that handle untrusted data to reduce attack surface. 6) Maintain regular backups to recover from potential data corruption or denial of service caused by exploitation attempts. These steps go beyond generic patching advice by emphasizing proactive detection, access control, and system resilience.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Italy, Spain, Poland, Belgium
CVE-2025-37738: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: ignore xattrs past end Once inside 'ext4_xattr_inode_dec_ref_all' we should ignore xattrs entries past the 'end' entry. This fixes the following KASAN reported issue: ================================================================== BUG: KASAN: slab-use-after-free in ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 Read of size 4 at addr ffff888012c120c4 by task repro/2065 CPU: 1 UID: 0 PID: 2065 Comm: repro Not tainted 6.13.0-rc2+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1fd/0x300 ? tcp_gro_dev_warn+0x260/0x260 ? _printk+0xc0/0x100 ? read_lock_is_recursive+0x10/0x10 ? irq_work_queue+0x72/0xf0 ? __virt_addr_valid+0x17b/0x4b0 print_address_description+0x78/0x390 print_report+0x107/0x1f0 ? __virt_addr_valid+0x17b/0x4b0 ? __virt_addr_valid+0x3ff/0x4b0 ? __phys_addr+0xb5/0x160 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 kasan_report+0xcc/0x100 ? ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ext4_xattr_inode_dec_ref_all+0xb8c/0xe90 ? ext4_xattr_delete_inode+0xd30/0xd30 ? __ext4_journal_ensure_credits+0x5f0/0x5f0 ? __ext4_journal_ensure_credits+0x2b/0x5f0 ? inode_update_timestamps+0x410/0x410 ext4_xattr_delete_inode+0xb64/0xd30 ? ext4_truncate+0xb70/0xdc0 ? ext4_expand_extra_isize_ea+0x1d20/0x1d20 ? __ext4_mark_inode_dirty+0x670/0x670 ? ext4_journal_check_start+0x16f/0x240 ? ext4_inode_is_fast_symlink+0x2f2/0x3a0 ext4_evict_inode+0xc8c/0xff0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 ? do_raw_spin_unlock+0x53/0x8a0 ? ext4_inode_is_fast_symlink+0x3a0/0x3a0 evict+0x4ac/0x950 ? proc_nr_inodes+0x310/0x310 ? trace_ext4_drop_inode+0xa2/0x220 ? _raw_spin_unlock+0x1a/0x30 ? iput+0x4cb/0x7e0 do_unlinkat+0x495/0x7c0 ? try_break_deleg+0x120/0x120 ? 0xffffffff81000000 ? __check_object_size+0x15a/0x210 ? strncpy_from_user+0x13e/0x250 ? getname_flags+0x1dc/0x530 __x64_sys_unlinkat+0xc8/0xf0 do_syscall_64+0x65/0x110 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x434ffd Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 8 RSP: 002b:00007ffc50fa7b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000107 RAX: ffffffffffffffda RBX: 00007ffc50fa7e18 RCX: 0000000000434ffd RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 00007ffc50fa7be0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffc50fa7e08 R14: 00000000004bbf30 R15: 0000000000000001 </TASK> The buggy address belongs to the object at ffff888012c12000 which belongs to the cache filp of size 360 The buggy address is located 196 bytes inside of freed 360-byte region [ffff888012c12000, ffff888012c12168) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12c12 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x40(head|node=0|zone=0) page_type: f5(slab) raw: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000040 ffff888000ad7640 ffffea0000497a00 dead000000000004 head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 head: 0000000000000001 ffffea00004b0481 ffffffffffffffff 0000000000000000 head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c11f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c12000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888012c12080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888012c12100: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff888012c12180: fc fc fc fc fc fc fc fc fc ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-37738 is a vulnerability identified in the Linux kernel's ext4 filesystem implementation, specifically within the extended attributes (xattrs) handling code. The flaw occurs in the function ext4_xattr_inode_dec_ref_all, which is responsible for decrementing reference counts on xattr inodes. The vulnerability arises because the function does not properly ignore xattr entries that extend beyond the designated 'end' entry, leading to a use-after-free condition. This was detected by Kernel Address Sanitizer (KASAN), which reported a slab-use-after-free error when the function attempted to read memory that had already been freed. The root cause is that the code accesses xattr entries past the valid boundary, causing it to reference freed memory regions. This can lead to undefined behavior including memory corruption, kernel crashes (denial of service), or potentially privilege escalation if exploited by a local attacker. The vulnerability affects multiple versions of the Linux kernel as indicated by the repeated affected version hashes, and it was patched by ensuring that xattr entries beyond the 'end' marker are ignored, preventing the use-after-free condition. The detailed kernel stack trace and memory dump confirm the out-of-bounds read and use of freed memory. No known public exploits have been reported yet, and no CVSS score has been assigned at the time of publication. The vulnerability requires local access to the system to trigger, as it involves filesystem operations on ext4 volumes.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily to servers and systems running Linux with ext4 filesystems, which are widely used across enterprise, cloud, and hosting environments. Exploitation could allow local attackers or malicious processes to cause kernel crashes, resulting in denial of service and potential data loss or corruption. More critically, if leveraged in a crafted attack, it could enable privilege escalation, allowing attackers to gain root-level access and compromise system integrity and confidentiality. This is particularly concerning for critical infrastructure, financial institutions, government agencies, and large enterprises that rely heavily on Linux-based servers. The vulnerability could disrupt services, lead to unauthorized data access, and facilitate lateral movement within networks. Given the prevalence of Linux in European data centers and cloud providers, the impact could be widespread if not mitigated promptly.
Mitigation Recommendations
Organizations should prioritize updating their Linux kernel to the patched versions that address CVE-2025-37738. Since the vulnerability is in the ext4 filesystem code, kernel updates from trusted Linux distributions should be applied as soon as they become available. Additionally, organizations should: 1) Audit and restrict local user access to minimize the risk of exploitation by unprivileged users. 2) Employ kernel hardening techniques such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar issues proactively. 3) Monitor system logs for unusual ext4 filesystem errors or kernel warnings that might indicate attempted exploitation. 4) Use mandatory access controls (e.g., SELinux, AppArmor) to limit the capabilities of processes interacting with the filesystem. 5) For critical systems, consider isolating or sandboxing services that handle untrusted data to reduce attack surface. 6) Maintain regular backups to recover from potential data corruption or denial of service caused by exploitation attempts. These steps go beyond generic patching advice by emphasizing proactive detection, access control, and system resilience.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.935Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe82b3
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 10:25:41 PM
Last updated: 8/17/2025, 5:23:23 PM
Views: 23
Related Threats
CVE-2025-7693: CWE-20: Improper Input Validation in Rockwell Automation PLC - Micro850 L50E
CriticalCVE-2025-55293: CWE-287: Improper Authentication in meshtastic firmware
CriticalCVE-2025-55300: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in komari-monitor komari
HighCVE-2025-55299: CWE-521: Weak Password Requirements in 7ritn VaulTLS
CriticalCVE-2025-55283: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in aiven aiven-db-migrate
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.