CVE-2025-71269 Overview
A vulnerability has been identified in the Linux kernel's Btrfs file system involving improper handling of qgroup data reservations during the fallback path from inline extent creation. When inline extent creation fails due to -ENOSPC (no space left on device), the code incorrectly frees reserved qgroup data before attempting the normal COW (Copy-on-Write) path, which leads to memory management issues as the data will still be used.
Critical Impact
This vulnerability affects the Btrfs file system's data reservation handling, potentially leading to improper memory management and data inconsistencies when disk space conditions trigger fallback code paths.
Affected Products
- Linux kernel with Btrfs file system support
- Systems utilizing Btrfs qgroup (quota group) functionality
- Btrfs volumes operating under low disk space conditions
Discovery Timeline
- 2026-03-18 - CVE CVE-2025-71269 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2025-71269
Vulnerability Analysis
The vulnerability exists in the Btrfs file system's inline extent creation logic. When the file system attempts to create an inline extent but encounters an -ENOSPC error (indicating insufficient space), it falls back to the normal COW path. This fallback path involves reserving an extent, creating an ordered extent, and proceeding with standard write operations.
The flaw lies in the premature freeing of reserved qgroup data during this transition. The qgroup subsystem in Btrfs tracks space usage for quota enforcement, and this reserved data should only be freed when it's no longer needed. By freeing this reservation too early—specifically when the fallback path will still use the data—the kernel creates a resource management inconsistency that could lead to accounting errors or undefined behavior.
Root Cause
The root cause is a logic error in the __cow_file_range_inline() function. The function was unconditionally freeing reserved qgroup data upon any failure, without distinguishing between failures that would proceed to use the data (fallback to COW path) and failures where the data would not be used. The fix ensures that qgroup data is only freed when ret is less than or equal to 0, indicating the fallback path will not be taken.
Attack Vector
This vulnerability is triggered under specific conditions involving disk space pressure on Btrfs file systems with qgroup enabled. An attacker with local access could potentially trigger this condition by:
- Filling a Btrfs volume to near capacity
- Performing write operations that initially attempt inline extent creation
- Forcing the -ENOSPC fallback path to be taken repeatedly
The vulnerability is primarily a denial-of-service risk through resource accounting corruption rather than a direct security exploitation vector. The attack requires local file system access and specific volume configuration.
Detection Methods for CVE-2025-71269
Indicators of Compromise
- Unexpected Btrfs qgroup accounting inconsistencies or quota errors in system logs
- Kernel warnings or errors related to __cow_file_range_inline() function
- Unexplained space accounting discrepancies on Btrfs volumes with qgroups enabled
Detection Strategies
- Monitor kernel logs for Btrfs-related warnings, particularly around inline extent operations and qgroup reservations
- Implement file system integrity monitoring on Btrfs volumes, especially those approaching capacity
- Use auditd or similar tools to track unusual file system behavior under low disk space conditions
Monitoring Recommendations
- Enable Btrfs debug logging on production systems to capture detailed file system operations
- Set up alerts for disk space thresholds to proactively identify conditions that could trigger this vulnerability
- Monitor qgroup balance operations and accounting discrepancies using btrfs qgroup show commands
How to Mitigate CVE-2025-71269
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix for this vulnerability
- Review Btrfs volumes for qgroup accounting consistency using btrfs check commands
- Ensure adequate free space on Btrfs volumes to reduce likelihood of -ENOSPC conditions triggering the vulnerable code path
Patch Information
The vulnerability has been addressed in the Linux kernel through commits that correct the qgroup data reservation handling logic. The fix modifies __cow_file_range_inline() to only free reserved qgroup data when the fallback path will not be taken (when ret <= 0).
Patch commits are available at:
Workarounds
- Maintain sufficient free space on Btrfs volumes to minimize -ENOSPC conditions
- Consider temporarily disabling qgroups on affected volumes if patching is not immediately possible: btrfs quota disable /mount/point
- Monitor and balance Btrfs file systems regularly to optimize space allocation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
