CVE-2021-40490: 
Linux Kernel vulnerability analysis and mitigation

A race condition vulnerability (CVE-2021-40490) was discovered in ext4writeinlinedataend in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel through version 5.13.13. The vulnerability was disclosed on September 2, 2021, affecting the Linux kernel's ext4 filesystem implementation (NVD, Debian).

The vulnerability occurs when writing to an inlinedata file while its xattrs (extended attributes) are changing. The location of the system.data extended attribute can change whenever xattrsem is not taken, requiring recalculation of the iinlineoff field as it might have changed between ext4writebegin() and ext4writeend(). The vulnerability has been assigned a CVSS v3.1 base score of 7.0 (HIGH) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Kernel Patch).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability requires local access with low privileges and high attack complexity (NetApp Advisory).

A patch has been released to fix the vulnerability by recalculating the iinlineoff field since it might have changed between ext4writebegin() and ext4writeend(). Multiple Linux distributions have released security updates to address this vulnerability, including Debian (versions 4.9.290-1, 4.19.208-1, 5.10.46-5), Fedora (kernel-5.13.15), and others (Kernel Patch, Debian Advisory).