What is CVE-2025-40167?

CVE-2025-40167 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 3.8 onward and patched in 5.4.301, 5.10.246, 5.15.196 and others. CVE-2025-40167 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2025-40167?

CVE-2025-40167 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2025-40167?

Yes, CVE-2025-40167 has been patched. Fixed versions include 5.4.301, 5.10.246, 5.15.196 and others. If you are running Linux kernel 3.8 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2025-40167 actively exploited?

CVE-2025-40167 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2025-40167

In the Linux kernel, the following vulnerability has been resolved: ext4: detect invalid INLINE_DATA + EXTENTS flag combination syzbot reported a BUG_ON in ext4_es_cache_extent() when opening a verity file on a corrupted ext4 filesystem mounted without a journal. The issue is that the filesystem has an inode with both the INLINE_DATA and EXTENTS flags set: EXT4-fs error (device loop0): ext4_cache_extents:545: inode #15: comm syz.0.17: corrupted extent tree: lblk 0 < prev 66 Investigation revealed that the inode has both flags set: DEBUG: inode 15 - flag=1, i_inline_off=164, has_inline=1, extents_flag=1 This is an invalid combination since an inode should have either: - INLINE_DATA: data stored directly in the inode - EXTENTS: data stored in extent-mapped blocks Having both flags causes ext4_has_inline_data() to return true, skipping extent tree validation in __ext4_iget(). The unvalidated out-of-order extents then trigger a BUG_ON in ext4_es_cache_extent() due to integer underflow when calculating hole sizes. Fix this by detecting this invalid flag combination early in ext4_iget() and rejecting the corrupted inode.

Package Linux Kernel

Published 2025-11-12

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 3.8 and later are affected. Fixed in 5.4.301, 5.10.246, 5.15.196, 6.1.158, 6.6.114, 6.12.55, 6.17.5, 6.18 and their respective stable series.

Affected from

≥ 3.8

Fixed in

✓ 5.4.301 5.4.x ✓ 5.10.246 5.10.x ✓ 5.15.196 5.15.x ✓ 6.1.158 6.1.x ✓ 6.6.114 6.6.x ✓ 6.12.55 6.12.x ✓ 6.17.5 6.17.x ✓ 6.18

References

The following references provide additional information about CVE-2025-40167 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/1437c95ab2a28b138d4521653583729f61ccb48b
Patch
Kernel patch commit
https://git.kernel.org/stable/c/1d3ad183943b38eec2acf72a0ae98e635dc8456b
Patch
Kernel patch commit
https://git.kernel.org/stable/c/1f5ccd22ff482639133f2a0fe08f6d19d0e68717
Patch

8 patch commits total View all on NVD

Frequently asked questions

What is CVE-2025-40167?

CVE-2025-40167 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 3.8 onward and has been patched in 5.4.301, 5.10.246, 5.15.196 and others. CVE-2025-40167 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2025-40167?

Yes — CVE-2025-40167 has been patched. Fixed versions include 5.4.301, 5.10.246, 5.15.196 and others. If you are running Linux kernel 3.8 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2025-40167 actively exploited?

No — CVE-2025-40167 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.