Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71269

CVE-2025-71269: Linux Kernel Privilege Escalation Flaw

CVE-2025-71269 is a privilege escalation vulnerability in the Linux kernel's btrfs filesystem that affects data reservation handling. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-71269 Overview

A vulnerability has been identified in the Linux kernel's Btrfs file system involving improper handling of qgroup data reservations during the fallback path from inline extent creation. When inline extent creation fails due to -ENOSPC (no space left on device), the code incorrectly frees reserved qgroup data before attempting the normal COW (Copy-on-Write) path, which leads to memory management issues as the data will still be used.

Critical Impact

This vulnerability affects the Btrfs file system's data reservation handling, potentially leading to improper memory management and data inconsistencies when disk space conditions trigger fallback code paths.

Affected Products

  • Linux kernel with Btrfs file system support
  • Systems utilizing Btrfs qgroup (quota group) functionality
  • Btrfs volumes operating under low disk space conditions

Discovery Timeline

  • 2026-03-18 - CVE CVE-2025-71269 published to NVD
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2025-71269

Vulnerability Analysis

The vulnerability exists in the Btrfs file system's inline extent creation logic. When the file system attempts to create an inline extent but encounters an -ENOSPC error (indicating insufficient space), it falls back to the normal COW path. This fallback path involves reserving an extent, creating an ordered extent, and proceeding with standard write operations.

The flaw lies in the premature freeing of reserved qgroup data during this transition. The qgroup subsystem in Btrfs tracks space usage for quota enforcement, and this reserved data should only be freed when it's no longer needed. By freeing this reservation too early—specifically when the fallback path will still use the data—the kernel creates a resource management inconsistency that could lead to accounting errors or undefined behavior.

Root Cause

The root cause is a logic error in the __cow_file_range_inline() function. The function was unconditionally freeing reserved qgroup data upon any failure, without distinguishing between failures that would proceed to use the data (fallback to COW path) and failures where the data would not be used. The fix ensures that qgroup data is only freed when ret is less than or equal to 0, indicating the fallback path will not be taken.

Attack Vector

This vulnerability is triggered under specific conditions involving disk space pressure on Btrfs file systems with qgroup enabled. An attacker with local access could potentially trigger this condition by:

  1. Filling a Btrfs volume to near capacity
  2. Performing write operations that initially attempt inline extent creation
  3. Forcing the -ENOSPC fallback path to be taken repeatedly

The vulnerability is primarily a denial-of-service risk through resource accounting corruption rather than a direct security exploitation vector. The attack requires local file system access and specific volume configuration.

Detection Methods for CVE-2025-71269

Indicators of Compromise

  • Unexpected Btrfs qgroup accounting inconsistencies or quota errors in system logs
  • Kernel warnings or errors related to __cow_file_range_inline() function
  • Unexplained space accounting discrepancies on Btrfs volumes with qgroups enabled

Detection Strategies

  • Monitor kernel logs for Btrfs-related warnings, particularly around inline extent operations and qgroup reservations
  • Implement file system integrity monitoring on Btrfs volumes, especially those approaching capacity
  • Use auditd or similar tools to track unusual file system behavior under low disk space conditions

Monitoring Recommendations

  • Enable Btrfs debug logging on production systems to capture detailed file system operations
  • Set up alerts for disk space thresholds to proactively identify conditions that could trigger this vulnerability
  • Monitor qgroup balance operations and accounting discrepancies using btrfs qgroup show commands

How to Mitigate CVE-2025-71269

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the fix for this vulnerability
  • Review Btrfs volumes for qgroup accounting consistency using btrfs check commands
  • Ensure adequate free space on Btrfs volumes to reduce likelihood of -ENOSPC conditions triggering the vulnerable code path

Patch Information

The vulnerability has been addressed in the Linux kernel through commits that correct the qgroup data reservation handling logic. The fix modifies __cow_file_range_inline() to only free reserved qgroup data when the fallback path will not be taken (when ret <= 0).

Patch commits are available at:

Workarounds

  • Maintain sufficient free space on Btrfs volumes to minimize -ENOSPC conditions
  • Consider temporarily disabling qgroups on affected volumes if patching is not immediately possible: btrfs quota disable /mount/point
  • Monitor and balance Btrfs file systems regularly to optimize space allocation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.