Overview
CVE-2025-40209 identifies a memory leak vulnerability within the Btrfs file system implementation in the Linux kernel. Specifically, the issue resides in the btrfs_add_qgroup_relation function. Incorrect handling of error conditions, particularly invalid qgroup levels (src >= dst), leads to a failure to free pre-allocated memory, potentially allowing an unprivileged user to exhaust kernel memory with repeated triggering of the vulnerability.
Technical Details
The vulnerability stems from an early return in btrfs_add_qgroup_relation when invalid qgroup levels are detected (source level is greater than or equal to destination level). Prior to acquiring the necessary mutex or entering any error handling path that frees the allocated memory, the function returns -EINVAL.
In the function btrfs_ioctl_qgroup_assign, the code exhibits a specific pattern:
prealloc = kzalloc(sizeof(*prealloc), GFP_KERNEL);
ret = btrfs_add_qgroup_relation(trans, sa->src, sa->dst, prealloc);
prealloc = NULL; // Always set to NULL regardless of return value
...
kfree(prealloc); // This becomes kfree(NULL), which does nothing
The critical issue is that the prealloc pointer is set to NULL regardless of the return value of btrfs_add_qgroup_relation. Consequently, if the level check fails, the memory allocated to prealloc is never freed by either the called function or the calling function, resulting in a 64-byte memory leak for each failed operation. An unprivileged user with access to a writable Btrfs mount point can repeatedly trigger this vulnerability, potentially leading to denial of service by exhausting kernel memory.
CVSS Analysis
Due to the absence of officially assigned CVSS score, a manual assessment is made.
- Severity: Medium
- Vector: Local Attack Vector (AV:L), Low Attack Complexity (AC:L), Low Privileges Required (PR:L), No Impact to Confidentiality and Integrity (C:N/I:N), High Impact to Availability (A:H). Assuming the vulnerability can lead to kernel memory exhaustion and denial of service by an unprivileged user.
- CVSS Score: Estimate between 5.0 – 6.8
Possible Impact
The primary impact of this vulnerability is a denial-of-service (DoS) condition. An unprivileged local user with write access to a Btrfs file system can repeatedly trigger the memory leak, eventually exhausting available kernel memory. This can lead to system instability, crashes, or inability to allocate resources, effectively rendering the system unusable.
Mitigation and Patch Steps
The recommended mitigation is to apply the patch provided by the Linux kernel developers. The patch ensures that the prealloc memory is freed before the early return in btrfs_add_qgroup_relation when invalid qgroup levels are detected. This eliminates the memory leak and prevents the possibility of kernel memory exhaustion.
To apply the patch, update your kernel to a version containing the fix. Check your Linux distribution’s security advisories for information on available updates. Alternatively, you can manually apply the patch to your kernel source code and recompile the kernel.
