Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71159

CVE-2025-71159: Linux Kernel Use-After-Free Vulnerability

CVE-2025-71159 is a use-after-free flaw in Linux Kernel's btrfs file system that causes refcounting bugs due to missing memory barriers. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2025-71159 Overview

CVE-2025-71159 is a use-after-free vulnerability [CWE-416] in the btrfs filesystem code of the Linux kernel. The flaw resides in btrfs_get_or_create_delayed_node(), where a missing memory barrier allows stores to node->refs and btrfs_inode->delayed_node to become visible out of order. A concurrent thread can read btrfs_inode->delayed_node and increment a refcount that has not yet been initialized, producing a refcounting bug and a use-after-free warning.

The issue was introduced by commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes"), which moved refcount_set inside the root->delayed_nodes lock critical section.

Critical Impact

Local attackers with low privileges can trigger memory corruption in the kernel, potentially leading to privilege escalation or system compromise on systems using btrfs.

Affected Products

  • Linux Kernel 6.19-rc1
  • Linux Kernel 6.19-rc2
  • Linux Kernel 6.19-rc3 and 6.19-rc4

Discovery Timeline

  • 2026-01-23 - CVE-2025-71159 published to NVD
  • 2026-02-26 - Last updated in NVD database

Technical Details for CVE-2025-71159

Vulnerability Analysis

The vulnerability affects btrfs delayed node allocation, a mechanism used to batch metadata updates. The function btrfs_get_or_create_delayed_node() previously set the delayed node's refcount before acquiring the root->delayed_nodes lock, which provided an implicit memory barrier between initializing the refcount and publishing the pointer through btrfs_inode->delayed_node.

When commit e8513c012de7 introduced ref_tracker instrumentation for delayed_nodes, it relocated refcount_set into the critical section. This change eliminated the memory barrier separating the two writes. On weakly ordered architectures, the CPU can reorder these stores such that the btrfs_inode->delayed_node pointer becomes visible before the refcount is initialized.

Root Cause

The root cause is a missing memory barrier between two related stores. Without the barrier provided by lock acquisition, the refcount initialization and the pointer publication are not ordered with respect to other CPUs. A reader on another CPU can observe the published pointer while the refcount remains stale, then call refcount_inc() on an uninitialized counter. This leads to incorrect reference accounting and premature freeing of the delayed node structure.

Attack Vector

Exploitation requires local access with low privileges and no user interaction. An attacker triggers concurrent btrfs metadata operations against the same inode from multiple threads to race the delayed node creation path. Winning the race yields a use-after-free on a kernel object, which can be leveraged for memory disclosure or escalation of privilege on systems running affected kernels with btrfs mounted.

No public proof-of-concept exists for this issue. The vulnerability mechanism is documented in the upstream commits referenced in the Kernel Git Commit Details and the follow-up patch.

Detection Methods for CVE-2025-71159

Indicators of Compromise

  • Kernel log entries containing refcount_t: addition on 0; use-after-free or similar refcount warnings tied to btrfs.
  • Stack traces in dmesg referencing btrfs_get_or_create_delayed_node or btrfs_delayed_node.
  • Unexpected kernel oops or panic events on systems performing concurrent btrfs metadata workloads.

Detection Strategies

  • Inventory Linux hosts running kernel versions 6.19-rc1 through 6.19-rc4 with btrfs filesystems mounted.
  • Monitor /var/log/kern.log and journalctl -k for refcount warnings and WARN_ON traces originating in the btrfs subsystem.
  • Correlate kernel warnings with workloads that perform heavy concurrent file creation or metadata operations on btrfs volumes.

Monitoring Recommendations

  • Forward kernel logs to a centralized logging platform and alert on refcount and use-after-free signatures.
  • Track running kernel versions across the fleet with configuration management tooling to identify unpatched hosts.
  • Audit local user activity on multi-tenant systems for unusual filesystem stress patterns that could indicate race exploitation attempts.

How to Mitigate CVE-2025-71159

Immediate Actions Required

  • Apply the upstream btrfs patch that restores refcount_set to its original position before lock acquisition.
  • Update affected Linux kernels to a stable release containing the fix commits 83f59076a1ae and c8385851a543.
  • Restrict local shell access on multi-user systems where patching cannot be performed immediately.

Patch Information

The fix moves refcount_set back outside the root->delayed_nodes critical section so that lock acquisition provides the implicit memory barrier ordering the refcount initialization before the pointer publication. Because the allocations now happen outside the lock, they use GFP_NOFS instead of GFP_ATOMIC. Patch details are available at the Kernel Git Commit and the associated commit.

Workarounds

  • Where patching is delayed, migrate workloads off btrfs to a non-affected filesystem such as ext4 or xfs.
  • Limit concurrent metadata-heavy workloads on btrfs volumes from untrusted local accounts.
  • Avoid deploying 6.19 release candidate kernels in production until a fixed stable release is installed.
bash
# Verify running kernel version and check for btrfs mounts
uname -r
mount | grep btrfs

# After patching, confirm the fixed commit is present
zcat /proc/config.gz | grep CONFIG_BTRFS_FS
dmesg | grep -i btrfs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.