Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: do not free data reservation in fallback from inline due to -ENOSPC

If we fail to create an inline extent due to -ENOSPC, we will attempt to
go through the normal COW path, reserve an extent, create an ordered
extent, etc. However we were always freeing the reserved qgroup data,
which is wrong since we will use data. Fix this by freeing the reserved
qgroup data in __cow_file_range_inline() only if we are not doing the
fallback (ret is <= 0).
Published: 2026-03-18
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: Filesystem data corruption
Action: Apply Patch
AI Analysis

Impact

The flaw occurs in the Linux kernel’s btrfs file system when an operation attempts to create an inline extent but fails because of insufficient space. The fallback path then reserves an extent on the underlying transactional system. In the buggy code, the reserved qgroup data is freed even though the data will still be needed, leading to a mismatch between the reservation bookkeeping and the actual data usage. This inconsistency can cause downstream allocation errors or corrupt file system metadata, potentially resulting in loss or corruption of user data.

Affected Systems

All Linux kernel releases that contain the btrfs implementation prior to the patch commit. The vulnerability is associated with the generic Linux kernel product; no specific vendor‑product name or version range is listed in the CNA data. Both Linux vendor listings indicate that the issue exists within the mainline kernel source.

Risk and Exploitability

The CVSS score of 7.0 indicates moderate severity, while the EPSS score of less than 1% and absence from the CISA KEV catalog suggest that widespread exploitation is unlikely at present. The flaw is only triggered during normal write operations to a btrfs volume, so it would likely require the attacker to have at least local or privileged access to issue writes that exhaust a file system’s space. This inference is derived from the description of the runtime behaviour and the need for a write path that triggers the fallback.

Generated by OpenCVE AI on March 27, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest kernel update that includes the btrfs reservation fix (commit 6de3a371a8b9fd095198b1aa68c22cc10a4c6961).
  • If a kernel update cannot be applied immediately, restrict write access to btrfs volumes and monitor for signs of file system corruption or allocation failures.

Generated by OpenCVE AI on March 27, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 11 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
References

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-416

Wed, 25 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-416

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: do not free data reservation in fallback from inline due to -ENOSPC If we fail to create an inline extent due to -ENOSPC, we will attempt to go through the normal COW path, reserve an extent, create an ordered extent, etc. However we were always freeing the reserved qgroup data, which is wrong since we will use data. Fix this by freeing the reserved qgroup data in __cow_file_range_inline() only if we are not doing the fallback (ret is <= 0).
Title btrfs: do not free data reservation in fallback from inline due to -ENOSPC
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-11T12:45:43.200Z

Reserved: 2026-03-17T09:08:18.457Z

Link: CVE-2025-71269

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:22.110

Modified: 2026-04-11T13:16:36.240

Link: CVE-2025-71269

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2025-71269 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T15:48:26Z

Weaknesses