EUVD-2025-208840Lifecycle Timeline
4Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix reservation leak in some error paths when inserting inline extent If we fail to allocate a path or join a transaction, we return from __cow_file_range_inline() without freeing the reserved qgroup data, resulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data() in such cases.
Analysis
A resource leak vulnerability exists in the Linux kernel's btrfs filesystem implementation where reserved qgroup data fails to be freed in error paths during inline extent insertion operations. This affects all Linux versions with vulnerable btrfs code, and allows local attackers with filesystem write access to exhaust kernel memory resources through repeated failed inline extent insertions, potentially causing denial of service. No active exploitation in the wild has been reported, but kernel memory exhaustion vulnerabilities are routinely targeted by local privilege escalation chains.
Technical Context
The vulnerability resides in the btrfs (B-tree filesystem) subsystem of the Linux kernel, specifically in the __cow_file_range_inline() function responsible for copy-on-write operations when inserting inline extents. When the function fails to allocate a path structure or join a transaction during inline extent insertion, it returns without calling btrfs_qgroup_free_data() to release reserved quota group (qgroup) data resources that were allocated earlier in the execution path. This is a classic resource leak (CWE-404: Improper Resource Shutdown or Release) where allocated kernel memory accounting structures remain reserved but never freed. The qgroup subsystem in btrfs is used for quota management and accounting; failing to return reserved data results in permanent loss of available quota space within the filesystem context. The affected product is the Linux kernel itself (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), impacting all distributions that include vulnerable btrfs code.
Affected Products
The Linux kernel is affected across all versions that include the vulnerable btrfs implementation code. The CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* indicates all Linux versions are potentially in scope. Specific patch references are available via the Linux kernel stable tree at https://git.kernel.org/stable/c/f7156512c8166d385f574b9ec030479aa7b1e8c9, https://git.kernel.org/stable/c/28b97fcbbf523779688e8de5fe55bf2dae3859f6, https://git.kernel.org/stable/c/f3ee1732851aec6fe6b2cec2ef1b32d4e71d9913, https://git.kernel.org/stable/c/28768bd3abf9995a93f6e01bfce01c60622964dd, and https://git.kernel.org/stable/c/c1c050f92d8f6aac4e17f7f2230160794fceef0c. Distribution vendors should backport these commits to their respective kernel packages; the presence of multiple stable tree commits suggests the fix was applied across multiple kernel release branches (e.g., 5.15.x, 5.10.x, 6.1.x, 6.6.x).
Remediation
Apply the upstream kernel patch by upgrading to a patched kernel version from your distribution (consult your Linux vendor for specific version numbers containing commits f7156512c8166d385f574b9ec030479aa7b1e8c9 or later). Most major distributions (Ubuntu, RHEL, Debian, etc.) will backport this fix into their stable kernel updates within normal update cycles. Until patching is completed, restrict filesystem write access to btrfs-backed volumes only to trusted users, disable btrfs qgroup quotas if not actively required (via btrfs quota disable), and monitor kernel memory pressure via tools such as /proc/slabinfo to detect potential leaks. For production systems using btrfs with qgroup enforcement, prioritize kernel patching as this leak can accumulate under sustained malicious activity.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.10.223-1 | - |
| bullseye (security) | vulnerable | 5.10.251-1 | - |
| bookworm | fixed | 6.1.164-1 | - |
| bookworm (security) | fixed | 6.1.164-1 | - |
| trixie | fixed | 6.12.73-1 | - |
| trixie (security) | fixed | 6.12.74-2 | - |
| forky | fixed | 6.19.6-2 | - |
| sid | fixed | 6.19.8-1 | - |
| (unstable) | fixed | 6.18.10-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today