CVE-2025-71269 - Vulnerability Details

- btrfs: do not free data reservation in fallback from inline due to -ENOSPC

Description

In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not free data reservation in fallback from inline due to -ENOSPC

If we fail to create an inline extent due to -ENOSPC, we will attempt to
go through the normal COW path, reserve an extent, create an ordered
extent, etc. However we were always freeing the reserved qgroup data,
which is wrong since we will use data. Fix this by freeing the reserved
qgroup data in __cow_file_range_inline() only if we are not doing the
fallback (ret is <= 0).

Published: 2026-03-18

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Linux kernel’s btrfs filesystem handling of inline extents. When an inline extent cannot be created due to a lack of space, the code incorrectly frees the reserved qgroup data during the fallback to the copy‑on‑write path. This frees resources that will still be used, causing a bookkeeping mismatch between the reservation and the actual data usage. The resulting inconsistency can lead to allocation errors, corrupted file‑system metadata, or loss of user data. The weakness is consistent with improper resource handling (CWE‑404).

Affected Systems

All Linux kernel releases that contain the btrfs implementation before the patch commit that introduced the fix (for example, kernel 6.19 rc1 through rc4 and any earlier mainline kernels). The issue applies to the generic Linux kernel product; no vendor‑product version ranges are specified by the CNA, but any system using an unpatched kernel with btrfs is potentially affected.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate impact, and the EPSS score of less than 1% combined with the absence from CISA’s KEV catalog suggest that exploitation is currently unlikely to be widespread. The flaw is triggered only when a write operation to a btrfs volume fails because the filesystem has run out of space, so an attacker would need local or privileged access to create such failing write attempts. The vulnerability is not publicly documented as being actively exploited at this time.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`94ed938aba557aa798acf496f09afb289b619fcd`	affected	< 3edd1f6c7c520536b62b2904807033597554dbac
`94ed938aba557aa798acf496f09afb289b619fcd`	affected	< 3a9fd45afadec1fbfec72057b9473d509fa8b68c
`94ed938aba557aa798acf496f09afb289b619fcd`	affected	< 0a1fbbd780f04d1b6cf48dd327c866ba937de1c4
`94ed938aba557aa798acf496f09afb289b619fcd`	affected	< 6de3a371a8b9fd095198b1aa68c22cc10a4c6961
`94ed938aba557aa798acf496f09afb289b619fcd`	affected	< f8da41de0bff9eb1d774a7253da0c9f637c4470a

Linux

affected

Version	Status	Constraints
`4.4`	affected	—
`0`	unaffected	< 4.4
`6.1.168`	unaffected	≤ 6.1.*
`6.6.134`	unaffected	≤ 6.6.*
`6.12.81`	unaffected	≤ 6.12.*
`6.18.10`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6de3a371a8b9fd095198b1aa68c22cc10a4c6961)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f8da41de0bff9eb1d774a7253da0c9f637c4470a)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.18.10,6.19.0)`	unaffected	semver	—
`[6.19,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that incorporates the btrfs reservation fix (for example, commit 6de3a371a8b9fd095198b1aa68c22cc10a4c6961 or a kernel version containing that commit).
If a kernel upgrade cannot be performed immediately, limit write permissions on btrfs volumes to trusted users only and monitor system logs for filesystem corruption signs such as allocation failures or metadata errors.
Ensure that distribution‑specific security patches or updates that include the kernel fix are applied as soon as they become available, and run regular integrity checks (e.g., btrfs scrub or fsck) to detect potential data inconsistencies early.

Generated by OpenCVE AI on May 21, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4561-1	linux-6.1 security update
Debian DSA	DSA-6238-1	linux security update
Debian DSA	DSA-6243-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0a1fbbd780f04d1b6cf48dd327c866ba937de1c4
https://git.kernel.org/stable/c/3a9fd45afadec1fbfec72057b9473d509fa8b68c
https://git.kernel.org/stable/c/3edd1f6c7c520536b62b2904807033597554dbac
https://git.kernel.org/stable/c/6de3a371a8b9fd095198b1aa68c22cc10a4c6961
https://git.kernel.org/stable/c/f8da41de0bff9eb1d774a7253da0c9f637c4470a
https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71269-b47d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2025-71269
https://www.cve.org/CVERecord?id=CVE-2025-71269

History

Thu, 21 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-404

Thu, 21 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-772

Thu, 21 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 11 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/0a1fbbd780f04d1b6cf48dd327c866ba937de1c4 https://git.kernel.org/stable/c/3a9fd45afadec1fbfec72057b9473d509fa8b68c https://git.kernel.org/stable/c/3edd1f6c7c520536b62b2904807033597554dbac

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-399

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-399 CWE-416

Wed, 25 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399 CWE-416

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-399

Tue, 24 Mar 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-399

Thu, 19 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026031816-CVE-2025-71269-b47d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2025-71269 https://www.cve.org/CVERecord?id=CVE-2025-71269
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 18 Mar 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: btrfs: do not free data reservation in fallback from inline due to -ENOSPC If we fail to create an inline extent due to -ENOSPC, we will attempt to go through the normal COW path, reserve an extent, create an ordered extent, etc. However we were always freeing the reserved qgroup data, which is wrong since we will use data. Fix this by freeing the reserved qgroup data in __cow_file_range_inline() only if we are not doing the fallback (ret is <= 0).
Title		btrfs: do not free data reservation in fallback from inline due to -ENOSPC
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/6de3a371a8b9fd095198b1aa68c22cc10a4c6961 https://git.kernel.org/stable/c/f8da41de0bff9eb1d774a7253da0c9f637c4470a

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-18T17:40:58.949Z

Updated: 2026-05-11T21:57:07.828Z

Reserved: 2026-03-17T09:08:18.457Z

Link: CVE-2025-71269

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-18T18:16:22.110

Modified: 2026-05-21T18:38:20.613

Link: CVE-2025-71269

Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-71269 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-21T23:15:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object