CVE-2025-71159
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section, which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-01-23
EPSS Evaluated
2026-05-05
NVD
CVE-2025-71159
EUVD
EUVD-2026-4311
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.18 (inc) to 6.18.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a use-after-free warning in the Linux kernel's btrfs filesystem code, specifically in the function btrfs_get_or_create_delayed_node(). The issue arises because the reference count (refcount) for a delayed_node was set before acquiring a lock, which led to a lack of a memory barrier between setting the refcount and assigning the delayed_node to a btrfs_inode. Without this memory barrier, the order of operations could be seen out of order by other threads, causing them to increment a refcount that was not yet set, resulting in a refcounting bug and a use-after-free warning. The fix involved moving the refcount setting inside the critical section protected by the lock to ensure proper memory ordering.


How can this vulnerability impact me? :

This vulnerability can lead to use-after-free conditions in the btrfs filesystem code, which may cause system instability, crashes, or potential memory corruption. Such issues can affect the reliability and security of systems using the affected Linux kernel versions with btrfs, potentially leading to data loss or denial of service.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart