CVE-2025-40209
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-21

Last updated on: 2025-11-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check happens before the mutex is acquired and before any error handling path that would free the prealloc pointer. On this early return, the cleanup code at the 'out' label (which includes kfree(prealloc)) is never reached. In btrfs_ioctl_qgroup_assign(), the code pattern is: prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL); ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc); prealloc = NULL; // Always set to NULL regardless of return value ... kfree(prealloc); // This becomes kfree(NULL), does nothing When the level check fails, 'prealloc' is never freed by either the callee or the caller, resulting in a 64-byte memory leak per failed operation. This can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially exhausting kernel memory. Fix this by freeing prealloc before the early return, ensuring prealloc is always freed on all error paths.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-21
Last Modified
2025-11-21
Generated
2026-05-07
AI Q&A
2025-11-21
EPSS Evaluated
2026-05-05
NVD
CVE-2025-40209
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a memory leak in the Linux kernel's btrfs filesystem code. Specifically, when the function btrfs_add_qgroup_relation() is called with invalid qgroup levels (where the source level is greater than or equal to the destination level), it returns an error (-EINVAL) without freeing a preallocated memory structure called qgroup_list. Because the caller then sets the pointer to NULL unconditionally, the allocated memory is never freed, causing a memory leak. This leak occurs repeatedly if triggered multiple times, potentially exhausting kernel memory.


How can this vulnerability impact me? :

This vulnerability can lead to a memory leak in the Linux kernel, which can be exploited by an unprivileged user with access to a writable btrfs mount. By repeatedly triggering the invalid qgroup level condition, the attacker can cause the kernel to leak memory continuously, potentially exhausting kernel memory resources. This could degrade system performance or lead to denial of service due to resource exhaustion.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the memory leak in btrfs_add_qgroup_relation() has been fixed. This fix ensures that the preallocated qgroup_list structure is properly freed on all error paths, preventing memory leaks. Until the update is applied, restrict unprivileged users' access to writable btrfs mounts to prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart