CVE-2025-38580: 
Linux Ubuntu vulnerability analysis and mitigation

CVE-2025-38580 is a vulnerability discovered in the Linux kernel affecting the ext4 filesystem component. The vulnerability was disclosed on August 19, 2025, and involves an inode use-after-free issue in the ext4_end_io_rsv_work() function (NVD, Debian Tracker).

The vulnerability occurs in the ext4_io_end_defer_completion() function where an io_end that requires no conversion could be incorrectly added to the i_rsv_conversion_list. This can lead to starting an unnecessary worker process. The issue is compounded by the lack of proper checks for ext4_emergency_state() and inconsistent handling between ext4_put_io_end_defer() and ext4_end_bio() functions. When EXT4_IO_END_FAILED is set but data_err=abort is not enabled, this can result in a use-after-free condition where the inode could be freed before ext4_end_io_rsv_work() is called (NVD).

The vulnerability affects various Linux distributions and their kernel packages, including Ubuntu's multiple kernel variants and Debian's releases. Multiple kernel versions across different distributions required patches to address this vulnerability (Debian Tracker).

The vulnerability has been fixed in multiple Linux distributions with various kernel updates. Ubuntu has released fixes for multiple kernel variants including linux-aws (5.15.0-1069.75), linux-azure (5.15.0-1072.81), and linux-gcp (5.15.0-1068.76). Debian has also addressed this in their releases including bullseye (5.10.237-1), bookworm (6.1.147-1), and trixie (6.12.41-1) (Debian Tracker).