CVE-2025-71123
Published: 14 January 2026
Summary
CVE-2025-71123 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-71123 is a vulnerability in the Linux kernel's ext4 filesystem implementation, specifically within the parse_apply_sb_mount_options() function. The issue arises from improper use of strscpy_pad() to copy a potentially non-null-terminated string from userspace into the s_mount_opts field, which is expected to be at most 63 characters plus a null terminator (64 bytes total). This misuse triggers a buffer overflow detection, as reported by strnlen, leading to warnings and potential kernel crashes during ext4 superblock mount option parsing.
A local attacker with low privileges (PR:L) can exploit this vulnerability by supplying malformed mount options via the mount syscall when mounting an ext4 filesystem. The attack requires low complexity (AC:L) and no user interaction (UI:N), allowing the attacker to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 score of 7.8. Exploitation occurs in the kernel context during vfs_get_tree and ext4_fill_super processing.
Mitigation is provided through patches in Linux kernel stable trees, accessible via the referenced commits (e.g., 52ac96c4a2dd, 5bbacbbf1ca4). These fixes allocate a 64-byte buffer matching the s_mount_opts size for proper strscpy_pad() usage and return an error if a non-null-terminated string is provided, preventing the overflow. Systems should update to kernels incorporating these changes. The issue was discovered by the Linux Verification Center using the Syzkaller fuzzer.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2490
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size. Commit 0efc5990bca5 ("string.h: Introduce memtostr() and memtostr_pad()")…
more
provides additional information in that regard. So if this happens, the following warning is observed: strnlen: detected buffer overflow: 65 byte read of buffer size 64 WARNING: CPU: 0 PID: 28655 at lib/string_helpers.c:1032 __fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Modules linked in: CPU: 0 UID: 0 PID: 28655 Comm: syz-executor.3 Not tainted 6.12.54-syzkaller-00144-g5f0270f1ba00 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__fortify_report+0x96/0xc0 lib/string_helpers.c:1032 Call Trace: <TASK> __fortify_panic+0x1f/0x30 lib/string_helpers.c:1039 strnlen include/linux/fortify-string.h:235 [inline] sized_strscpy include/linux/fortify-string.h:309 [inline] parse_apply_sb_mount_options fs/ext4/super.c:2504 [inline] __ext4_fill_super fs/ext4/super.c:5261 [inline] ext4_fill_super+0x3c35/0xad00 fs/ext4/super.c:5706 get_tree_bdev_flags+0x387/0x620 fs/super.c:1636 vfs_get_tree+0x93/0x380 fs/super.c:1814 do_new_mount fs/namespace.c:3553 [inline] path_mount+0x6ae/0x1f70 fs/namespace.c:3880 do_mount fs/namespace.c:3893 [inline] __do_sys_mount fs/namespace.c:4103 [inline] __se_sys_mount fs/namespace.c:4080 [inline] __x64_sys_mount+0x280/0x300 fs/namespace.c:4080 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x64/0x140 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e Since userspace is expected to provide s_mount_opts field to be at most 63 characters long with the ending byte being NUL-term, use a 64-byte buffer which matches the size of s_mount_opts, so that strscpy_pad() does its job properly. Return with error if the user still managed to provide a non-NUL-term string here. Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel buffer overflow in ext4 mount option parsing directly enables exploitation for privilege escalation by unprivileged users via mount syscall.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the buffer overflow vulnerability by applying kernel patches that fix the improper strscpy_pad() usage in ext4 mount option parsing.
Information input validation ensures user-supplied mount options are properly checked for null-termination and length before copying into kernel buffers, preventing the overflow.
Memory protection mechanisms like stack canaries and address space layout randomization mitigate the impact of buffer overflows in kernel space during ext4 superblock processing.