CVE-2025-23150: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free vulnerability (CVE-2025-23150) was discovered in the Linux kernel's ext4 filesystem implementation, specifically in the ext4insertdentry function. The vulnerability was identified by the Linux Verification Center using Syzkaller and was disclosed on May 1, 2025. The issue affects the Linux kernel's ext4 filesystem code and stems from an off-by-one error in the do_split function (NVD, Wiz).

The vulnerability occurs due to an off-by-one error in the dosplit function that leads to out-of-bounds access and subsequent use-after-free in ext4insert_dentry. The issue manifests when the loop counter 'i' can go down to -1, causing incorrect block size calculations when handling long filename entries in a single block. The vulnerability has been assigned a CVSS v3 Base Score of 5.5 (Moderate) (Wiz).

When exploited, this vulnerability can lead to use-after-free conditions in the ext4 filesystem, potentially resulting in system crashes, memory corruption, or unintended behavior when handling directory entries. The issue particularly affects systems with directories containing numerous long filenames (NVD).

The vulnerability has been fixed in Linux kernel version 6.12.25-1 for the sid release and 6.1.135-1 for the bookworm release. Users are advised to upgrade to these or later versions that contain the security fix (Debian).