A flaw in the Linux kernel’s Btrfs file system causes an invalid leaf access when the btrfs_quota_enable() function is called and a reference key cannot be found. The code fails to exit the search loop when it reaches the end of the Btrfs tree, potentially dereferencing an out‑of‑bounds pointer. This can lead to a kernel panic and loss of service for the impacted system. The vulnerability is local in nature; an attacker with sufficient access to create or manipulate a Btrfs filesystem or to adjust quota settings could trigger it. Based on the description, the attack vector is local, requiring the ability to modify Btrfs quota structures or invoke quota commands.

All Linux kernel builds that include the Btrfs file system and expose the btrfs_quota_enable logic without the recent patch are affected. The flaw is present in any distribution kernel until the commit that implements the described fix, which is incorporated into newer kernel releases. The vulnerability applies to the general Linux kernel as distributed by major vendors.

The CVSS score is not provided in the advisory, but the failure to validate tree bounds represents a serious programming error that can cause a crash. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating that it may not yet be widely exploited. Nevertheless, the attack surface includes any user or process that can create or modify Btrfs quota structures; local privilege escalation or denial of service is plausible. Based on the description, the likely attack vector is local with privileged access to manage quotas. A potential exploitation path would involve an attacker creating a specially crafted Btrfs volume or invoking quota commands that trigger the invalid search logic, resulting in a kernel panic.