CVE-2025-38701
ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
Description
In the Linux kernel, the following vulnerability has been resolved: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() when an inode had the INLINE_DATA_FL flag set but was missing the system.data extended attribute. Since this can happen due to a maiciouly fuzzed file system, we shouldn't BUG, but rather, report it as a corrupted file system. Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii ext4_create_inline_data() and ext4_inline_data_truncate().
INFO
Published Date :
Sept. 4, 2025, 4:15 p.m.
Last Modified :
Sept. 5, 2025, 5:47 p.m.
Remotely Exploit :
No
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Solution
- Update the Linux kernel to include the fix.
- Handle missing system.data as a file system error.
- Replace BUG_ON with EXT4_ERROR_INODE calls.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-38701.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-38701 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-38701
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-38701 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2025-38701 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Sep. 04, 2025
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() when an inode had the INLINE_DATA_FL flag set but was missing the system.data extended attribute. Since this can happen due to a maiciouly fuzzed file system, we shouldn't BUG, but rather, report it as a corrupted file system. Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii ext4_create_inline_data() and ext4_inline_data_truncate(). Added Reference https://git.kernel.org/stable/c/099b847ccc6c1ad2f805d13cfbcc83f5b6d4bc42 Added Reference https://git.kernel.org/stable/c/1199a6399895f4767f0b9a68a6ff47c3f799b7c7 Added Reference https://git.kernel.org/stable/c/279c87ef7b9da34f65c2e4db586e730b667a6fb9 Added Reference https://git.kernel.org/stable/c/2817ac83cb4732597bf36853fe13ca616f4ee4e2 Added Reference https://git.kernel.org/stable/c/7f322c12df7aeed1755acd3c6fab48c7807795fb Added Reference https://git.kernel.org/stable/c/8085a7324d8ec448c4a764af7853e19bbd64e17a Added Reference https://git.kernel.org/stable/c/81e7e2e7ba07e7c8cdce43ccad2f91adbc5a919c Added Reference https://git.kernel.org/stable/c/8a6f89d42e61788605722dd9faf98797c958a7e5 Added Reference https://git.kernel.org/stable/c/d960f4b793912f35e9d72bd9d1e90553063fcbf1