What is CVE-2025-40119?

CVE-2025-40119 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.17 onward and patched in 6.17.3 and 6.18. CVE-2025-40119 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40119?

CVE-2025-40119 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40119?

Yes, CVE-2025-40119 has been patched. Fixed versions include 6.17.3 and 6.18. If you are running Linux kernel 6.17 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40119 actively exploited?

CVE-2025-40119 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40119

In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential null deref in ext4_mb_init() In ext4_mb_init(), ext4_mb_avg_fragment_size_destroy() may be called when sbi->s_mb_avg_fragment_size remains uninitialized (e.g., if groupinfo slab cache allocation fails). Since ext4_mb_avg_fragment_size_destroy() lacks null pointer checking, this leads to a null pointer dereference. ================================================================== EXT4-fs: no memory for groupinfo slab cache BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0002 [#1] SMP PTI CPU:2 UID: 0 PID: 87 Comm:mount Not tainted 6.17.0-rc2 #1134 PREEMPT(none) RIP: 0010:_raw_spin_lock_irqsave+0x1b/0x40 Call Trace: <TASK> xa_destroy+0x61/0x130 ext4_mb_init+0x483/0x540 __ext4_fill_super+0x116d/0x17b0 ext4_fill_super+0xd3/0x280 get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x29/0xd0 do_new_mount+0x197/0x300 __x64_sys_mount+0x116/0x150 do_syscall_64+0x50/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ================================================================== Therefore, add necessary null check to ext4_mb_avg_fragment_size_destroy() to prevent this issue. The same fix is also applied to ext4_mb_largest_free_orders_destroy().

Package Linux Kernel

Published 2025-11-12

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.17 and later are affected. Fixed in 6.17.3, 6.18 and their respective stable series.

Affected from

≥ 6.17

Fixed in

✓ 6.17.3 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40119 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/00110f3cfc9b34b2dfee2a6c9e55a0ae6df125ae
Patch
Kernel patch commit
https://git.kernel.org/stable/c/08d9175578d6a8e9b81921898fbf01aa669cd2be
Patch
Kernel patch commit
https://git.kernel.org/stable/c/3c3fac6bc0a9c00dbe65d8dc0d3a282afe4d3188
Patch

Frequently asked questions

What is CVE-2025-40119?

CVE-2025-40119 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.17 onward and has been patched in 6.17.3 and 6.18. CVE-2025-40119 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40119?

Yes — CVE-2025-40119 has been patched. Fixed versions include 6.17.3 and 6.18. If you are running Linux kernel 6.17 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40119 actively exploited?

No — CVE-2025-40119 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.