An omission of an RCU unlock on the error path of try_release_subpage_extent_buffer() in the Linux kernel allows a use‑after‑free or other memory corruption in kernel space. Because the RCU lock is not released when an error occurs, a freed object can still be accessed, potentially leading to kernel crashes or instability. This flaw was detected by the Clang thread‑safety analyzer and is reflected in an upstream patch that adds the missing unlock.

The vulnerability affects any configuration of the Linux kernel that contains the buggy btrfs implementation. Affected systems include all Linux kernel builds prior to the inclusion of the commit that adds the RCU unlock in try_release_subpage_extent_buffer(). No specific kernel versions are listed; therefore any kernel containing the unpatched btrfs code is potentially vulnerable.

The CVSS score of 5.5 indicates moderate severity. The EPSS score of < 1% indicates a very low but nonzero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, attackers would need to trigger the error path in try_release_subpage_extent_buffer(), which requires local privileged or kernel code execution. If successful, the resulting use‑after‑free could lead to a kernel panic or provide a foothold for arbitrary code execution.