CVE-2025-40190
CVE-2025-40190 is a security vulnerability that is still awaiting full analysis and scoring. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- EPSS exploit prediction: 0% (9th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-150384
- Published:
- Last modified:
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn.
Frequently asked questions
- What is CVE-2025-40190?
- In the Linux kernel, the following vulnerability has been resolved: ext4: guard against EA inode refcount underflow in xattr update syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA inode refcount that is already <= 0 and then applies ref_change (often -1). That lets the refcount underflow and we proceed with a bogus value, triggering errors like: EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1 EXT4-fs warning: ea_inode dec ref err=-117 Make the invariant explicit: if the current refcount is non-positive, treat this as on-disk corruption, emit ext4_error_inode(), and fail the operation with -EFSCORRUPTED instead of updating the refcount. Delete the WARN_ONCE() as negative refcounts are now impossible; keep error reporting in ext4_error_inode(). This prevents the underflow and the follow-on orphan/cleanup churn.
- Is CVE-2025-40190 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (9th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-40190?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-40190 have an EU (EUVD) identifier?
- Yes. CVE-2025-40190 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-150384.
- When was CVE-2025-40190 published?
- CVE-2025-40190 was published on 2025-11-12 and last updated on 2026-06-17.
References
- https://git.kernel.org/stable/c/1cfb3e4ddbdc8e02e637b8852540bd4718bf4814
- https://git.kernel.org/stable/c/3d6269028246f4484bfed403c947a114bb583631
- https://git.kernel.org/stable/c/440b003f449a4ff2a00b08c8eab9ba5cd28f3943
- https://git.kernel.org/stable/c/505e69f76ac497e788f4ea0267826ec7266b40c8
- https://git.kernel.org/stable/c/57295e835408d8d425bef58da5253465db3d6888
- https://git.kernel.org/stable/c/6b879c4c6bbaab03c0ad2a983953bd1410bb165e
- https://git.kernel.org/stable/c/79ea7f3e11effe1bd9e753172981d9029133a278
- https://git.kernel.org/stable/c/ea39e712c2f5ae148ee5515798ae03523673e002