CVE-2025-38580

In the Linux kernel, the following vulnerability has been resolved:

ext4: fix inode use after free in ext4_end_io_rsv_work()

In ext4_io_end_defer_completion(), check if io_end->list_vec is empty to
avoid adding an io_end that requires no conversion to the
i_rsv_conversion_list, which in turn prevents starting an unnecessary
worker. An ext4_emergency_state() check is also added to avoid attempting
to abort the journal in an emergency state.

Additionally, ext4_put_io_end_defer() is refactored to call
ext4_io_end_defer_completion() directly instead of being open-coded.
This also prevents starting an unnecessary worker when EXT4_IO_END_FAILED
is set but data_err=abort is not enabled.

This ensures that the check in ext4_put_io_end_defer() is consistent with
the check in ext4_end_bio(). Otherwise, we might add an io_end to the
i_rsv_conversion_list and then call ext4_finish_bio(), after which the
inode could be freed before ext4_end_io_rsv_work() is called, triggering
a use-after-free issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
LinuxCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 2%
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.237-1
fixed
bookworm
6.1.137-1
fixed
bookworm (security)
6.1.147-1
fixed
trixie (security)
6.12.41-1
fixed
forky
6.12.38-1
fixed
sid
6.12.38-1
fixed
trixie
6.12.38-1
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/469c44e66e2110054949609dde095788320139d0
https://git.kernel.org/stable/c/ac999862b98a0f49e858e509f776be51406f1e77
https://git.kernel.org/stable/c/c678bdc998754589cea2e6afab9401d7d8312ac4