Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71123

CVE-2025-71123: Linux Kernel Buffer Overflow Vulnerability

CVE-2025-71123 is a buffer overflow flaw in the Linux kernel's ext4 filesystem that occurs during mount option parsing. This vulnerability can lead to system instability. This post covers technical details, impact, and mitigation.

Published:

CVE-2025-71123 Overview

A buffer overflow vulnerability has been identified in the Linux kernel's ext4 filesystem implementation, specifically in the parse_apply_sb_mount_options() function. The flaw occurs due to improper use of strscpy_pad() when copying a non-NUL-terminated string into a NUL-terminated string of potentially larger size. This can trigger a kernel warning and potential memory corruption when processing malformed mount options.

The vulnerability was discovered through fuzzing by the Linux Verification Center (linuxtesting.org) using Syzkaller, a kernel fuzzing tool. When triggered, the kernel reports a buffer overflow detection: "strnlen: detected buffer overflow: 65 byte read of buffer size 64" followed by a kernel WARNING.

Critical Impact

Local attackers with the ability to mount ext4 filesystems could potentially trigger kernel warnings and cause system instability through crafted mount options with non-NUL-terminated strings in the s_mount_opts field.

Affected Products

  • Linux Kernel (ext4 filesystem implementation)
  • Systems using ext4 filesystem with configurable mount options
  • Kernel versions prior to security patches (multiple stable branches affected)

Discovery Timeline

  • 2026-01-14 - CVE CVE-2025-71123 published to NVD
  • 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2025-71123

Vulnerability Analysis

This vulnerability resides in the ext4 superblock mount options parsing logic within fs/ext4/super.c. The core issue stems from the improper handling of string boundaries when copying the s_mount_opts field during filesystem initialization.

The strscpy_pad() function was being used incorrectly to copy a potentially non-NUL-terminated string into a NUL-terminated buffer. The s_mount_opts field is expected to be at most 63 characters with the 64th byte being a NUL terminator. However, if userspace provides malformed data where this expectation is violated, the kernel's fortify protection detects a buffer overread condition.

The call stack reveals this occurs during the ext4_fill_super() operation when a filesystem is being mounted, specifically within the __ext4_fill_super()parse_apply_sb_mount_options() code path. The vulnerability can be triggered via the mount() system call when processing crafted ext4 filesystem images.

Root Cause

The root cause is the misuse of the strscpy_pad() function for string copying operations. As documented in commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()"), strscpy_pad() cannot safely copy a non-NUL-terminated source string into a NUL-terminated destination buffer of potentially larger size.

The fix introduces a properly sized 64-byte buffer that matches the size of s_mount_opts, ensuring strscpy_pad() operates correctly. Additionally, the patch adds error handling to detect and reject cases where userspace provides a non-NUL-terminated string in this field.

Attack Vector

An attacker would need local access and the ability to mount filesystems. The attack involves:

  1. Creating or modifying an ext4 filesystem image with a malformed s_mount_opts field that lacks proper NUL-termination
  2. Mounting this crafted filesystem, triggering the vulnerable code path in parse_apply_sb_mount_options()
  3. The kernel's fortify protection detects a 65-byte read from a 64-byte buffer, triggering a WARNING

The vulnerability is triggered during the mount operation through the following kernel path: __x64_sys_mount()do_mount()path_mount()do_new_mount()vfs_get_tree()get_tree_bdev_flags()ext4_fill_super()__ext4_fill_super()parse_apply_sb_mount_options().

While the immediate impact is a kernel warning and potential system log spam, memory corruption vulnerabilities in kernel string handling can sometimes be escalated to more severe attacks.

Detection Methods for CVE-2025-71123

Indicators of Compromise

  • Kernel log messages containing "strnlen: detected buffer overflow: 65 byte read of buffer size 64"
  • WARNING traces originating from __fortify_report in lib/string_helpers.c
  • Call traces showing parse_apply_sb_mount_options or ext4_fill_super functions
  • Unexpected kernel warnings during ext4 filesystem mount operations

Detection Strategies

  • Monitor kernel logs (dmesg, /var/log/kern.log) for fortify-related warnings and buffer overflow detections
  • Deploy audit rules to track mount() system calls with ext4 filesystem type
  • Implement file integrity monitoring on critical ext4 filesystem images
  • Use kernel tracing tools (ftrace, eBPF) to monitor ext4 superblock parsing functions

Monitoring Recommendations

  • Configure centralized logging to capture kernel WARNING messages from affected systems
  • Set up alerting for patterns matching "fortify_report" or "buffer overflow" in kernel logs
  • Monitor for unusual mount activity, especially involving untrusted or external storage devices
  • Consider implementing mandatory access control (SELinux/AppArmor) policies to restrict mount capabilities

How to Mitigate CVE-2025-71123

Immediate Actions Required

  • Update the Linux kernel to a patched version from the stable branches
  • Restrict mount capabilities to trusted users and processes using capabilities or mandatory access control
  • Audit systems for unauthorized or suspicious ext4 filesystem images
  • Consider enabling additional kernel hardening options such as CONFIG_FORTIFY_SOURCE

Patch Information

The Linux kernel developers have released patches across multiple stable branches. The fix properly sizes the buffer to 64 bytes (matching s_mount_opts) and adds validation to reject non-NUL-terminated strings. The following kernel commits address this vulnerability:

Apply the appropriate patch for your kernel version from the stable kernel trees.

Workarounds

  • Restrict filesystem mount permissions using CAP_SYS_ADMIN capability controls
  • Use AppArmor or SELinux policies to limit which processes can perform mount operations
  • Avoid mounting untrusted ext4 filesystem images from unknown sources
  • Enable and monitor kernel hardening features including FORTIFY_SOURCE
bash
# Restrict mount capabilities example using setcap (for specific binaries)
# Remove unnecessary CAP_SYS_ADMIN from untrusted processes
setcap -r /path/to/untrusted_binary

# Check current kernel version
uname -r

# Monitor for vulnerability triggers in kernel logs
dmesg | grep -E "(fortify|buffer overflow|parse_apply_sb_mount_options)"

# Audit mount system calls
auditctl -a always,exit -F arch=b64 -S mount -k mount_operations

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.