EUVD-2025-208842Lifecycle Timeline
4Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: do not free data reservation in fallback from inline due to -ENOSPC If we fail to create an inline extent due to -ENOSPC, we will attempt to go through the normal COW path, reserve an extent, create an ordered extent, etc. However we were always freeing the reserved qgroup data, which is wrong since we will use data. Fix this by freeing the reserved qgroup data in __cow_file_range_inline() only if we are not doing the fallback (ret is <= 0).
Analysis
A resource management vulnerability exists in the Linux kernel's Btrfs filesystem implementation where qgroup data reservations are incorrectly freed when an inline extent creation fails due to -ENOSPC (no space available). This causes the kernel to prematurely release qgroup quota accounting for data that will actually be used when the operation falls back to the normal copy-on-write path, potentially leading to qgroup quota inconsistencies and information disclosure about quota state. All Linux distributions using Btrfs with qgroup quota tracking enabled are affected. While no CVSS score or EPSS risk score has been assigned, the vulnerability has stable patches available in the Linux kernel repository.
Technical Context
The vulnerability is located in the Btrfs filesystem code within the Linux kernel, specifically in the qgroup (quota group) data reservation handling during inline extent creation fallback scenarios. The Btrfs filesystem uses qgroups to track and limit data usage across subvolumes. When the kernel attempts to create an inline extent (a small file stored directly in metadata) and encounters insufficient space (-ENOSPC), it falls back to a normal copy-on-write allocation path. However, the buggy code in __cow_file_range_inline() unconditionally frees the reserved qgroup data quota even when fallback occurs, meaning the quota is released but the data space is still consumed by the fallback COW operation. This violates the invariant that reserved qgroup quota must match actual usage. The affected products are identified via CPE as cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across all affected versions. While no specific CWE is listed in the disclosure, this represents a resource management flaw where quota accounting and actual resource consumption become desynchronized.
Affected Products
The Linux kernel at all versions is affected according to the CPE designation cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*. The vulnerability is specific to kernel builds that include Btrfs filesystem support with qgroup quota tracking enabled. All major Linux distributions shipping recent kernel versions (Ubuntu, Red Hat, Debian, Fedora, SUSE, and others) are affected unless they have already integrated the fixes. Stable patches are available via the Linux kernel Git repository as referenced in commits 6de3a371a8b9fd095198b1aa68c22cc10a4c6961 and f8da41de0bff9eb1d774a7253da0c9f637c4470a accessible at https://git.kernel.org/stable/c/6de3a371a8b9fd095198b1aa68c22cc10a4c6961 and https://git.kernel.org/stable/c/f8da41de0bff9eb1d774a7253da0c9f637c4470a respectively.
Remediation
Apply Linux kernel updates that include the Btrfs qgroup reservation fix, which has been committed to the stable kernel branches. Users should upgrade to the latest stable kernel version available for their distribution, which will include commit 6de3a371a8b9fd095198b1aa68c22cc10a4c6961 or equivalent. For systems unable to immediately patch, disable Btrfs qgroup quota tracking if not operationally required by setting the qgroup tracking to off, though this removes quota enforcement protections. Monitor kernel release notes from your distribution (Ubuntu Security Notices, Red Hat Security Advisories, SUSE Security Updates) for the specific patched kernel version applicable to your system. Apply the patch as part of a regular kernel update cycle, prioritizing systems where Btrfs with qgroups is actively used for quota enforcement or multi-tenant isolation.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.10.223-1 | - |
| bullseye (security) | vulnerable | 5.10.251-1 | - |
| bookworm | vulnerable | 6.1.159-1 | - |
| bookworm (security) | vulnerable | 6.1.164-1 | - |
| trixie | vulnerable | 6.12.73-1 | - |
| trixie (security) | vulnerable | 6.12.74-2 | - |
| forky | fixed | 6.19.6-2 | - |
| sid | fixed | 6.19.8-1 | - |
| (unstable) | fixed | 6.18.10-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today