A time‑of‑check to time‑of‑use race exists between two passes over the block group RAID type lists in the function btrfs_ioctl_space_info. The first pass counts entries to size the buffer; after releasing the groups_sem rwlock, a concurrent block group removal can decrease the count. The second pass then copies fewer entries than were counted. As a result, copy_to_user copies the full allocated size, including trailing uninitialized kmalloc bytes, to user space, leaking kernel data. This flaw can expose sensitive data and provide an attacker with kernel memory contents, potentially facilitating further exploitation. The weakness is a race condition leading to an information‑leak vulnerability.

The vulnerability affects the Linux kernel’s Btrfs filesystem implementation on all distributions that ship the kernel and enable the Btrfs module. No specific kernel version is enumerated; the fix replaces the old logic in newer patches. The vendor affected is the Linux kernel itself, i.e. Linux:Linux.

Because the flaw is triggered by a user‑land ioctl call, a local user with access to Btrfs can exploit it. The race requires that a concurrent kernel block group removal occurs between the two passes, which is possible when many concurrent filesystem operations happen. The exploit does not require elevated privileges, but the data leaked may be useful for privilege escalation or bypassing kernel mitigations. No CVSS score is provided. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog, so the risk should be assessed as potential local information disclosure with moderate likelihood, warranting immediate attention for systems running vulnerable kernels.