CVE-2025-38580

{"id": "CVE-2025-38580", "cveTags": [], "metrics": {}, "published": "2025-08-19T17:15:35.160", "references": [{"url": "https://git.kernel.org/stable/c/469c44e66e2110054949609dde095788320139d0", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ac999862b98a0f49e858e509f776be51406f1e77", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c678bdc998754589cea2e6afab9401d7d8312ac4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Received", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix inode use after free in ext4_end_io_rsv_work()\n\nIn ext4_io_end_defer_completion(), check if io_end->list_vec is empty to\navoid adding an io_end that requires no conversion to the\ni_rsv_conversion_list, which in turn prevents starting an unnecessary\nworker. An ext4_emergency_state() check is also added to avoid attempting\nto abort the journal in an emergency state.\n\nAdditionally, ext4_put_io_end_defer() is refactored to call\next4_io_end_defer_completion() directly instead of being open-coded.\nThis also prevents starting an unnecessary worker when EXT4_IO_END_FAILED\nis set but data_err=abort is not enabled.\n\nThis ensures that the check in ext4_put_io_end_defer() is consistent with\nthe check in ext4_end_bio(). Otherwise, we might add an io_end to the\ni_rsv_conversion_list and then call ext4_finish_bio(), after which the\ninode could be freed before ext4_end_io_rsv_work() is called, triggering\na use-after-free issue."}], "lastModified": "2025-08-19T17:15:35.160", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}