CVE-2025-71123 [High] | Memory Corruption in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()") provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-03-26	0.07%	0.02%	-0.05%
2	2026-02-13	0.02%	0.07%	+0.05%
3	2026-01-15	—	0.02%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-03-26

0.07%

0.02%

-0.05%

2026-02-13

0.02%

0.07%

+0.05%

2026-01-15

—

0.02%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.9

[email protected]

OS Trackers for CVE-2025-71123

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2025-71123 not yet assigned priority: Debian including 2 source packages (linux, linux-6.1), 6 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 6.	https://security-tracker.debian.org/tracker/CVE-2025-71123
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2025-71123
`suse`	medium	CVE-2025-71123 severity moderate: SUSE including 403 source package names (13.2-9.1:libsqlite3-0-3.49.1-1.1, 2.1.3-6.115:kernel-default-base-6.4.0-39.1.21.16, …), 706 product×package rows across 90 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (90 product lines)): Fixed 332, Known Affected 231, Known Not Affected 118, First Fixed 25.	https://www.suse.com/security/cve/CVE-2025-71123/
`ubuntu`	medium	CVE-2025-71123 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1562 status rows across 10 suites (bionic, focal, jammy, noble, plucky, questing, resolute, trusty, upstream, xenial): DNE 1157, ignored 174, released 119, not-affected 103, pending 9.	https://ubuntu.com/security/CVE-2025-71123

Affected software / configurations for CVE-2025-71123

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 5.4.301, < 5.5	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 5.10.246, < 5.10.248	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.1.158, < 6.1.160	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.6.114, < 6.6.120	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.12.54, < 6.12.64	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.17.4, < 6.18	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.18.1, < 6.18.3	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	6.18	cpe:2.3:o:linux:linux_kernel:6.18:-::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
linux	linux_kernel	6.19	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

References for CVE-2025-71123

URL	Tags
https://git.kernel.org/stable/c/52ac96c4a2dd7bc47666000440b0602d9742e820	Patch
https://git.kernel.org/stable/c/5bbacbbf1ca4419861dca3c6b82707c10e9c021c	Patch
https://git.kernel.org/stable/c/6e37143560e37869d51b7d9e0ac61fc48895f8a0	Patch
https://git.kernel.org/stable/c/902ca2356f1e3ec5355c5808ad5d3f9d0095b0cc	Patch
https://git.kernel.org/stable/c/db9ee13fab0267eccf6544ee35b16c9522db9aac	Patch
https://git.kernel.org/stable/c/ee5a977b4e771cc181f39d504426dbd31ed701cc	Patch

URL

CVE-2025-71123 | ext4: fix string copying in parse_apply_sb_mount_options()

Exploit prediction scoring system (EPSS) score for CVE-2025-71123

Common vulnerability scoring system (CVSS) metrics for CVE-2025-71123

Weakness enumeration for CVE-2025-71123

OS Trackers for CVE-2025-71123

Affected software / configurations for CVE-2025-71123

References for CVE-2025-71123