CVE-2025-40179 | ext4: verify orphan file size is not too big

In the Linux kernel, the following vulnerability has been resolved: ext4: verify orphan file size is not too big In principle orphan file can be arbitrarily large. However orphan replay needs to traverse it all and we also pin all its buffers in memory. Thus filesystems with absurdly large orphan files can lead to big amounts of memory consumed. Limit orphan file size to a sane value and also use kvmalloc() for allocating array of block descriptor structures to avoid large order allocations for sane but large orphan files.

Published: 2025-11-12 Last update: 2026-04-15 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2025-40179 is rated Low Risk (5.5/100): low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-40179

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-11-13	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-40179

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2025-40179

OS Trackers for CVE-2025-40179

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-40179 unimportant priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2025-40179
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2025-40179
`suse`	medium	CVE-2025-40179 severity moderate: SUSE including 468 source package names (13.2-9.1:libsystemd0-254.23-1.1, 13.2-9.1:libudev1-254.23-1.1, …), 1094 product×package rows across 194 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (194 product lines)): Fixed 643, Known Affected 231, Known Not Affected 195, First Fixed 25.	https://www.suse.com/security/cve/CVE-2025-40179/
`ubuntu`	medium	CVE-2025-40179 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 177, released 158, not-affected 49, needed 8, pending 3.	https://ubuntu.com/security/CVE-2025-40179

Affected software / configurations for CVE-2025-40179

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2025-40179

URL	Tags
https://git.kernel.org/stable/c/0a6ce20c156442a4ce2a404747bb0fb05d54eeb3
https://git.kernel.org/stable/c/2b9da798ff0f4d026c5f0f815047393ebe7d8859
https://git.kernel.org/stable/c/304fc34ff6fc8261138fd81f119e024ac3a129e9
https://git.kernel.org/stable/c/566a1d6084563bd07433025aa23bcea4427de107
https://git.kernel.org/stable/c/95a21611b14ae0a401720645245a8db16f040995
https://git.kernel.org/stable/c/a2d803fab8a6c6a874277cb80156dc114db91921

cvelogic Threat Intelligence