Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71184

CVE-2025-71184: Linux Kernel Btrfs NULL Dereference Flaw

CVE-2025-71184 is a NULL pointer dereference vulnerability in the Linux kernel's btrfs filesystem that occurs during inode eviction. This article covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2025-71184 Overview

A NULL pointer dereference vulnerability has been identified in the Linux kernel's Btrfs filesystem subsystem. The flaw exists in the btrfs_evict_inode() function, where tracing setup attempts to access the root's ID before validating that the root pointer is not NULL. This can lead to a kernel crash when evicting an inode under specific conditions where the root has not been properly initialized.

Critical Impact

This vulnerability can cause kernel crashes and system instability when the Btrfs filesystem attempts to evict inodes with NULL root pointers, potentially leading to denial of service conditions.

Affected Products

  • Linux Kernel (Btrfs filesystem subsystem)
  • Systems utilizing Btrfs as their primary or secondary filesystem
  • Linux distributions with vulnerable kernel versions

Discovery Timeline

  • 2026-01-31 - CVE CVE-2025-71184 published to NVD
  • 2026-02-03 - Last updated in NVD database

Technical Details for CVE-2025-71184

Vulnerability Analysis

The vulnerability occurs within the Btrfs filesystem's inode eviction handling mechanism. When the kernel evicts an inode, the btrfs_evict_inode() function is called. The first operation in this function is to set up tracing, which requires fetching the root's ID via ->root_objectid. However, the root pointer can legitimately be NULL under certain conditions, as evidenced by the NULL check that follows this tracing setup code.

By accessing the root pointer to fetch the root_objectid before verifying its validity, the code creates a condition where a NULL pointer dereference can occur. This results in a kernel panic, causing the system to crash and become unavailable.

Root Cause

The root cause of this vulnerability is improper validation order in the btrfs_evict_inode() function. The tracing setup code attempts to access the root_objectid field without first checking if the root pointer is NULL. The fix addresses this by setting the root_objectid to 0 when the root is NULL, which maintains the ability to trace such calls while preventing the NULL dereference.

Attack Vector

The attack vector for this vulnerability is local. An attacker with local access to a system using the Btrfs filesystem could potentially trigger this condition through specific filesystem operations that cause inode eviction when the root pointer is in an uninitialized state. While exploitation requires local access, successful exploitation results in a kernel panic and denial of service.

The vulnerability manifests in the inode eviction path of the Btrfs filesystem. When tracing is enabled, the kernel attempts to access the root structure to retrieve the root_objectid. If the root pointer is NULL at this point, the dereference causes a kernel crash. See the kernel git commits for the technical fix implementation.

Detection Methods for CVE-2025-71184

Indicators of Compromise

  • Unexpected kernel panics or system crashes on systems using Btrfs filesystem
  • Kernel oops messages referencing btrfs_evict_inode in crash dumps or system logs
  • System instability during heavy filesystem operations on Btrfs volumes

Detection Strategies

  • Monitor kernel logs for NULL pointer dereference errors in the Btrfs subsystem
  • Implement kernel crash dump analysis to identify crashes originating from btrfs_evict_inode()
  • Deploy file integrity monitoring to detect unauthorized filesystem manipulation attempts

Monitoring Recommendations

  • Enable kernel crash dump collection (kdump) to capture diagnostic information during kernel panics
  • Configure syslog forwarding to centralized logging infrastructure to capture Btrfs-related error messages
  • Implement automated alerting on system reboots or unexpected kernel crashes

How to Mitigate CVE-2025-71184

Immediate Actions Required

  • Update the Linux kernel to a patched version that includes the fix for this vulnerability
  • Review systems using Btrfs filesystems and prioritize patching based on criticality
  • Consider temporarily switching to alternative filesystems on critical systems if immediate patching is not possible

Patch Information

The vulnerability has been addressed in the Linux kernel through multiple commits. The fix modifies the tracing setup code to check if the root pointer is NULL before accessing root_objectid, and sets the value to 0 if the root is NULL to maintain traceability while preventing the crash.

Patches are available through the official kernel git repository:

Workarounds

  • If patching is not immediately possible, consider disabling Btrfs tracing to reduce exposure
  • Restrict local access to systems using Btrfs to trusted users only
  • Monitor Btrfs filesystem health and schedule patching during maintenance windows
bash
# Check current kernel version
uname -r

# Update kernel using package manager (example for Debian/Ubuntu)
sudo apt update && sudo apt upgrade linux-image-$(uname -r)

# Verify Btrfs module status
lsmod | grep btrfs

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.