CVE-2025-68359
Unknown Unknown - Not Provided
Double Free Vulnerability in Linux btrfs Qgroup Record Handling

Publication date: 2025-12-24

Last updated on: 2025-12-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double free of qgroup record after failure to add delayed ref head In the previous code it was possible to incur into a double kfree() scenario when calling add_delayed_ref_head(). This could happen if the record was reported to already exist in the btrfs_qgroup_trace_extent_nolock() call, but then there was an error later on add_delayed_ref_head(). In this case, since add_delayed_ref_head() returned an error, the caller went to free the record. Since add_delayed_ref_head() couldn't set this kfree'd pointer to NULL, then kfree() would have acted on a non-NULL 'record' object which was pointing to memory already freed by the callee. The problem comes from the fact that the responsibility to kfree the object is on both the caller and the callee at the same time. Hence, the fix for this is to shift the ownership of the 'qrecord' object out of the add_delayed_ref_head(). That is, we will never attempt to kfree() the given object inside of this function, and will expect the caller to act on the 'qrecord' object on its own. The only exception where the 'qrecord' object cannot be kfree'd is if it was inserted into the tracing logic, for which we already have the 'qrecord_inserted_ret' boolean to account for this. Hence, the caller has to kfree the object only if add_delayed_ref_head() reports not to have inserted it on the tracing logic. As a side-effect of the above, we must guarantee that 'qrecord_inserted_ret' is properly initialized at the start of the function, not at the end, and then set when an actual insert happens. This way we avoid 'qrecord_inserted_ret' having an invalid value on an early exit. The documentation from the add_delayed_ref_head() has also been updated to reflect on the exact ownership of the 'qrecord' object.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-24
Last Modified
2025-12-24
Generated
2026-05-07
AI Q&A
2025-12-24
EPSS Evaluated
2026-05-05
NVD
CVE-2025-68359
EUVD
EUVD-2025-205095
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a double free bug in the Linux kernel's btrfs filesystem code. Specifically, when adding a delayed reference head with the function add_delayed_ref_head(), if an error occurs after detecting that a record already exists, both the function and its caller attempt to free the same memory object (qgroup record). This leads to a double free scenario because the function does not set the pointer to NULL after freeing it, causing the caller to free it again. The fix involves changing ownership rules so that only the caller is responsible for freeing the qgroup record unless it was successfully inserted into the tracing logic, preventing the double free.


How can this vulnerability impact me? :

This vulnerability can lead to memory corruption due to a double free of a qgroup record in the btrfs filesystem code. Memory corruption can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited. Therefore, it poses a risk to system reliability and security.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Linux kernel to a version where the fix for the double free of qgroup record in btrfs has been applied. This fix ensures proper ownership and freeing of the qrecord object in add_delayed_ref_head(), preventing the double free scenario.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart