SB20260320105 - Resource exhaustion in Linux kernel btrfs

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource exhaustion (CVE-ID: CVE-2025-71269)

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper resource management in the btrfs filesystem's qgroup data reservation handling when processing file writes that trigger a fallback from inline extent creation. A local user can perform file operations that cause an ENOSPC condition during inline extent creation, leading to incorrect release of qgroup data reservations while still proceeding with the normal COW path, resulting in unbalanced quota accounting and potential denial of service.

The attacker must have the ability to write to a btrfs filesystem and trigger space allocation under conditions of low available space; this typically requires low-privileged local access but does not require administrative privileges beyond standard user write permissions.

Remediation

Install update from vendor's website.

References

• https://git.kernel.org/stable/c/6de3a371a8b9fd095198b1aa68c22cc10a4c6961
• https://git.kernel.org/stable/c/f8da41de0bff9eb1d774a7253da0c9f637c4470a