CVE-2025-23150 Overview
CVE-2025-23150 is an off-by-one error vulnerability in the Linux kernel's ext4 filesystem implementation, specifically in the do_split function. This flaw was discovered through Syzkaller fuzzing and results in a use-after-free condition in ext4_insert_dentry due to out-of-bounds memory access during directory entry splitting operations.
Critical Impact
Local attackers with low privileges can trigger a use-after-free condition through crafted filesystem operations, potentially causing system crashes or denial of service on systems using ext4 filesystems.
Affected Products
- Linux Kernel versions 5.9 through 6.15-rc1
- Debian Linux 11.0
- Various Linux distributions using affected kernel versions
Discovery Timeline
- 2025-05-01 - CVE-2025-23150 published to NVD
- 2025-11-05 - Last updated in NVD database
Technical Details for CVE-2025-23150
Vulnerability Analysis
The vulnerability exists in the ext4 filesystem's directory splitting logic within the do_split function located in fs/ext4/namei.c. When the kernel performs directory entry operations, particularly during symlink creation, the splitting algorithm can miscalculate boundary conditions when processing directory entries with long filenames.
The core issue lies in a loop that determines how to split directory entries across block halves. The loop variable i iterates from count-1 down to 0, but the termination condition allows i to reach -1. When this occurs with blocks containing many entries with long filenames, the subsequent operations use an incorrect index value, resulting in out-of-bounds memory access.
This out-of-bounds access triggers a use-after-free condition when ext4_insert_dentry attempts to write data to an invalid memory location. KASAN (Kernel Address SANitizer) reports show writes of size 251 bytes to freed memory regions.
Root Cause
The root cause is an off-by-one error (CWE-193) in the boundary condition check within the do_split function. The splitting algorithm iterates through directory entry mappings to determine the optimal split point, but fails to properly handle the case where the cumulative size of entries doesn't exceed half the block size even after checking all entries. The loop allows the index variable to decrement to -1, which then causes incorrect memory calculations when the split is performed.
The previous behavior would force a split at the midpoint even when inappropriate, particularly problematic when a single block contains many files with long names that collectively require more than half the block's capacity.
Attack Vector
Exploitation requires local access to the system with the ability to perform filesystem operations on an ext4-mounted volume. An attacker can trigger the vulnerability by:
- Creating a directory with many files having long filenames
- Performing operations that trigger directory block splitting, such as creating symlinks
- The malformed split operation causes out-of-bounds memory access
- The subsequent write to freed memory can lead to denial of service
The KASAN stack trace shows the attack path flowing through: __x64_sys_symlink → ext4_symlink → ext4_add_entry → make_indexed_dir → add_dirent_to_buf → ext4_insert_dentry.
The vulnerability manifests when directory entries are manipulated in ways that stress the splitting algorithm. When the loop in do_split completes with i at -1, subsequent array accesses using this index result in out-of-bounds memory operations. See the Kernel Stable Commit 16d9067 for the complete technical fix.
Detection Methods for CVE-2025-23150
Indicators of Compromise
- KASAN reports indicating use-after-free in ext4_insert_dentry function
- Kernel panic or oops messages referencing fs/ext4/namei.c around line 2109
- Unexpected system crashes during heavy filesystem operations on ext4 volumes
- Memory corruption warnings in kernel logs related to ext4 directory operations
Detection Strategies
- Enable KASAN (Kernel Address SANitizer) in kernel builds to detect memory corruption at runtime
- Monitor kernel logs for ext4-related warnings or errors, particularly those referencing do_split or ext4_insert_dentry
- Deploy SentinelOne agents to monitor for kernel-level anomalies and memory corruption indicators
- Use kernel auditing to track filesystem operations that could trigger the vulnerability
Monitoring Recommendations
- Configure syslog monitoring to alert on ext4 filesystem errors and KASAN reports
- Implement file integrity monitoring on critical system directories using ext4
- Enable kernel crash dump analysis to capture evidence of exploitation attempts
- Monitor for unusual patterns of symlink creation or directory manipulation
How to Mitigate CVE-2025-23150
Immediate Actions Required
- Update to a patched Linux kernel version as soon as possible
- Review and apply distribution-specific security updates from Debian and other vendors
- Consider temporarily limiting untrusted user access to ext4 filesystem write operations
- Enable enhanced kernel auditing to detect potential exploitation attempts
Patch Information
Multiple patches have been released across various stable kernel branches. The fix corrects the off-by-one error by properly handling the loop boundary condition in do_split. Key patch commits include:
- Kernel Stable Commit 16d9067
- Kernel Stable Commit 17df39f
- Kernel Stable Commit 2883e9e
- Kernel Stable Commit 94824ac
Debian users should refer to the Debian LTS Security Announcements for distribution-specific updates.
Workarounds
- Limit filesystem write access to trusted users only until patches can be applied
- Consider using alternative filesystems (xfs, btrfs) for sensitive operations if patching is delayed
- Implement strict access controls on ext4-mounted volumes accessible to untrusted users
- Enable kernel hardening features such as KASAN and UBSAN in development environments
# Check current kernel version
uname -r
# Update kernel on Debian-based systems
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# Verify ext4 module version after update
modinfo ext4 | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
