CVE-2025-71123 Overview
A buffer overflow vulnerability has been identified in the Linux kernel's ext4 filesystem implementation, specifically in the parse_apply_sb_mount_options() function. The flaw occurs due to improper use of strscpy_pad() when copying a non-NUL-terminated string into a NUL-terminated string of potentially larger size. This can trigger a kernel warning and potential memory corruption when processing malformed mount options.
The vulnerability was discovered through fuzzing by the Linux Verification Center (linuxtesting.org) using Syzkaller, a kernel fuzzing tool. When triggered, the kernel reports a buffer overflow detection: "strnlen: detected buffer overflow: 65 byte read of buffer size 64" followed by a kernel WARNING.
Critical Impact
Local attackers with the ability to mount ext4 filesystems could potentially trigger kernel warnings and cause system instability through crafted mount options with non-NUL-terminated strings in the s_mount_opts field.
Affected Products
- Linux Kernel (ext4 filesystem implementation)
- Systems using ext4 filesystem with configurable mount options
- Kernel versions prior to security patches (multiple stable branches affected)
Discovery Timeline
- 2026-01-14 - CVE CVE-2025-71123 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2025-71123
Vulnerability Analysis
This vulnerability resides in the ext4 superblock mount options parsing logic within fs/ext4/super.c. The core issue stems from the improper handling of string boundaries when copying the s_mount_opts field during filesystem initialization.
The strscpy_pad() function was being used incorrectly to copy a potentially non-NUL-terminated string into a NUL-terminated buffer. The s_mount_opts field is expected to be at most 63 characters with the 64th byte being a NUL terminator. However, if userspace provides malformed data where this expectation is violated, the kernel's fortify protection detects a buffer overread condition.
The call stack reveals this occurs during the ext4_fill_super() operation when a filesystem is being mounted, specifically within the __ext4_fill_super() → parse_apply_sb_mount_options() code path. The vulnerability can be triggered via the mount() system call when processing crafted ext4 filesystem images.
Root Cause
The root cause is the misuse of the strscpy_pad() function for string copying operations. As documented in commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()"), strscpy_pad() cannot safely copy a non-NUL-terminated source string into a NUL-terminated destination buffer of potentially larger size.
The fix introduces a properly sized 64-byte buffer that matches the size of s_mount_opts, ensuring strscpy_pad() operates correctly. Additionally, the patch adds error handling to detect and reject cases where userspace provides a non-NUL-terminated string in this field.
Attack Vector
An attacker would need local access and the ability to mount filesystems. The attack involves:
- Creating or modifying an ext4 filesystem image with a malformed s_mount_opts field that lacks proper NUL-termination
- Mounting this crafted filesystem, triggering the vulnerable code path in parse_apply_sb_mount_options()
- The kernel's fortify protection detects a 65-byte read from a 64-byte buffer, triggering a WARNING
The vulnerability is triggered during the mount operation through the following kernel path: __x64_sys_mount() → do_mount() → path_mount() → do_new_mount() → vfs_get_tree() → get_tree_bdev_flags() → ext4_fill_super() → __ext4_fill_super() → parse_apply_sb_mount_options().
While the immediate impact is a kernel warning and potential system log spam, memory corruption vulnerabilities in kernel string handling can sometimes be escalated to more severe attacks.
Detection Methods for CVE-2025-71123
Indicators of Compromise
- Kernel log messages containing "strnlen: detected buffer overflow: 65 byte read of buffer size 64"
- WARNING traces originating from __fortify_report in lib/string_helpers.c
- Call traces showing parse_apply_sb_mount_options or ext4_fill_super functions
- Unexpected kernel warnings during ext4 filesystem mount operations
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for fortify-related warnings and buffer overflow detections
- Deploy audit rules to track mount() system calls with ext4 filesystem type
- Implement file integrity monitoring on critical ext4 filesystem images
- Use kernel tracing tools (ftrace, eBPF) to monitor ext4 superblock parsing functions
Monitoring Recommendations
- Configure centralized logging to capture kernel WARNING messages from affected systems
- Set up alerting for patterns matching "fortify_report" or "buffer overflow" in kernel logs
- Monitor for unusual mount activity, especially involving untrusted or external storage devices
- Consider implementing mandatory access control (SELinux/AppArmor) policies to restrict mount capabilities
How to Mitigate CVE-2025-71123
Immediate Actions Required
- Update the Linux kernel to a patched version from the stable branches
- Restrict mount capabilities to trusted users and processes using capabilities or mandatory access control
- Audit systems for unauthorized or suspicious ext4 filesystem images
- Consider enabling additional kernel hardening options such as CONFIG_FORTIFY_SOURCE
Patch Information
The Linux kernel developers have released patches across multiple stable branches. The fix properly sizes the buffer to 64 bytes (matching s_mount_opts) and adds validation to reject non-NUL-terminated strings. The following kernel commits address this vulnerability:
- Kernel Git Commit 52ac96c
- Kernel Git Commit 5bbacbb
- Kernel Git Commit 6e37143
- Kernel Git Commit 902ca23
- Kernel Git Commit db9ee13
- Kernel Git Commit ee5a977
Apply the appropriate patch for your kernel version from the stable kernel trees.
Workarounds
- Restrict filesystem mount permissions using CAP_SYS_ADMIN capability controls
- Use AppArmor or SELinux policies to limit which processes can perform mount operations
- Avoid mounting untrusted ext4 filesystem images from unknown sources
- Enable and monitor kernel hardening features including FORTIFY_SOURCE
# Restrict mount capabilities example using setcap (for specific binaries)
# Remove unnecessary CAP_SYS_ADMIN from untrusted processes
setcap -r /path/to/untrusted_binary
# Check current kernel version
uname -r
# Monitor for vulnerability triggers in kernel logs
dmesg | grep -E "(fortify|buffer overflow|parse_apply_sb_mount_options)"
# Audit mount system calls
auditctl -a always,exit -F arch=b64 -S mount -k mount_operations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
