CVE-2021-46958: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free There is a race between a task aborting a transaction during a commit, a task doing an fsync and the transaction kthread, which leads to an use-after-free of the log root tree. When this happens, it results in a stack trace like the following: BTRFS info (device dm-0): forced readonly BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5) BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 BTRFS error (device dm-0): error writing primary super block to device 1 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10 BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers) BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x139/0xa40 Code: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002 RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 Code: 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- The steps that lead to this crash are the following: 1) We are at transaction N; 2) We have two tasks with a transaction handle attached to transaction N. Task A and Task B. Task B is doing an fsync; 3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree into a local variable named 'log_root_tree' at the top of btrfs_sync_log(). Task B is about to call write_all_supers(), but before that... 4) Task A calls btrfs_commit_transaction(), and after it sets the transaction state to TRANS_STATE_COMMIT_START, an error happens before it w ---truncated---
AI Analysis
Technical Summary
CVE-2021-46958 is a race condition vulnerability in the Linux kernel's Btrfs filesystem implementation. Specifically, it arises from a race between transaction aborts and fsync operations, leading to a use-after-free condition on the log root tree structure. The vulnerability occurs when two tasks concurrently interact with the same Btrfs transaction: one task aborts the transaction during commit, while another performs an fsync operation that accesses the log root tree. Due to improper synchronization, the log root tree can be freed while still in use by the fsync operation, causing memory corruption. This manifests as kernel stack traces with errors such as forced readonly filesystem states, IO failures, and general protection faults. The root cause is a timing window where the transaction state changes and memory deallocation overlap with concurrent fsync calls. Exploitation of this vulnerability can cause system instability, kernel crashes (kernel panic), and potential data corruption or loss on Btrfs volumes. The vulnerability affects Linux kernel versions containing the vulnerable commit ef67963dac255b293e19815ea3d440567be4626f and has been publicly disclosed without a CVSS score or known exploits in the wild. The issue is critical for systems relying on Btrfs for storage, especially those with high concurrency and fsync usage patterns, such as servers and enterprise storage solutions.
Potential Impact
For European organizations, the impact of CVE-2021-46958 can be significant, particularly for enterprises and data centers using Linux servers with Btrfs filesystems. The vulnerability can lead to unexpected system crashes and forced readonly filesystem states, resulting in service disruptions and potential data loss. This is especially critical for industries requiring high availability and data integrity, such as financial services, healthcare, telecommunications, and government infrastructure. The use-after-free condition could be leveraged by attackers with local access to cause denial of service or potentially escalate privileges by corrupting kernel memory, although no public exploit is known. The instability may also affect cloud service providers and hosting companies operating Linux-based infrastructure in Europe, impacting their customers. Additionally, organizations relying on Btrfs snapshots and fsync for data consistency might face increased risk of data corruption. The lack of a CVSS score and known exploits suggests the threat is currently theoretical but warrants prompt attention due to the kernel-level impact and potential for severe operational consequences.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2021-46958. Monitor vendor advisories for backported patches in enterprise distributions such as Ubuntu, Debian, Red Hat, SUSE, and others common in Europe. 2. Filesystem usage review: Where possible, evaluate the necessity of Btrfs for critical workloads. Consider migrating sensitive data to alternative filesystems (e.g., ext4, XFS) until patches are applied. 3. Limit fsync concurrency: Reduce concurrent fsync operations on Btrfs volumes by tuning application behavior or workload scheduling to minimize race conditions. 4. Access control: Restrict local user access to systems with Btrfs volumes to trusted personnel only, as exploitation requires local code execution or user interaction. 5. Monitoring and alerting: Implement kernel crash and filesystem error monitoring to detect early signs of exploitation or instability. 6. Backup and recovery: Ensure robust backup strategies are in place for Btrfs volumes to mitigate potential data loss from filesystem corruption. 7. Testing: Before deploying kernel updates in production, test patches in staging environments to confirm stability and compatibility with existing workloads.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Belgium, Italy
CVE-2021-46958: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between transaction aborts and fsyncs leading to use-after-free There is a race between a task aborting a transaction during a commit, a task doing an fsync and the transaction kthread, which leads to an use-after-free of the log root tree. When this happens, it results in a stack trace like the following: BTRFS info (device dm-0): forced readonly BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS: error (device dm-0) in cleanup_transaction:1958: errno=-5 IO failure BTRFS warning (device dm-0): lost page write due to IO error on /dev/mapper/error-test (-5) BTRFS warning (device dm-0): Skipping commit of aborted transaction. BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0xa4e8 len 4096 err no 10 BTRFS error (device dm-0): error writing primary super block to device 1 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e000 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e008 len 4096 err no 10 BTRFS warning (device dm-0): direct IO failed ino 261 rw 0,0 sector 0x12e010 len 4096 err no 10 BTRFS: error (device dm-0) in write_all_supers:4110: errno=-5 IO failure (1 errors while writing supers) BTRFS: error (device dm-0) in btrfs_sync_log:3308: errno=-5 IO failure general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b68: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 2458471 Comm: fsstress Not tainted 5.12.0-rc5-btrfs-next-84 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 RIP: 0010:__mutex_lock+0x139/0xa40 Code: c0 74 19 (...) RSP: 0018:ffff9f18830d7b00 EFLAGS: 00010202 RAX: 6b6b6b6b6b6b6b68 RBX: 0000000000000001 RCX: 0000000000000002 RDX: ffffffffb9c54d13 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff9f18830d7bc0 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9f18830d7be0 R11: 0000000000000001 R12: ffff8c6cd199c040 R13: ffff8c6c95821358 R14: 00000000fffffffb R15: ffff8c6cbcf01358 FS: 00007fa9140c2b80(0000) GS:ffff8c6fac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa913d52000 CR3: 000000013d2b4003 CR4: 0000000000370ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __btrfs_handle_fs_error+0xde/0x146 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] ? btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_log+0x7c1/0xf20 [btrfs] btrfs_sync_file+0x40c/0x580 [btrfs] do_fsync+0x38/0x70 __x64_sys_fsync+0x10/0x20 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa9142a55c3 Code: 8b 15 09 (...) RSP: 002b:00007fff26278d48 EFLAGS: 00000246 ORIG_RAX: 000000000000004a RAX: ffffffffffffffda RBX: 0000563c83cb4560 RCX: 00007fa9142a55c3 RDX: 00007fff26278cb0 RSI: 00007fff26278cb0 RDI: 0000000000000005 RBP: 0000000000000005 R08: 0000000000000001 R09: 00007fff26278d5c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000340 R13: 00007fff26278de0 R14: 00007fff26278d96 R15: 0000563c83ca57c0 Modules linked in: btrfs dm_zero dm_snapshot dm_thin_pool (...) ---[ end trace ee2f1b19327d791d ]--- The steps that lead to this crash are the following: 1) We are at transaction N; 2) We have two tasks with a transaction handle attached to transaction N. Task A and Task B. Task B is doing an fsync; 3) Task B is at btrfs_sync_log(), and has saved fs_info->log_root_tree into a local variable named 'log_root_tree' at the top of btrfs_sync_log(). Task B is about to call write_all_supers(), but before that... 4) Task A calls btrfs_commit_transaction(), and after it sets the transaction state to TRANS_STATE_COMMIT_START, an error happens before it w ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2021-46958 is a race condition vulnerability in the Linux kernel's Btrfs filesystem implementation. Specifically, it arises from a race between transaction aborts and fsync operations, leading to a use-after-free condition on the log root tree structure. The vulnerability occurs when two tasks concurrently interact with the same Btrfs transaction: one task aborts the transaction during commit, while another performs an fsync operation that accesses the log root tree. Due to improper synchronization, the log root tree can be freed while still in use by the fsync operation, causing memory corruption. This manifests as kernel stack traces with errors such as forced readonly filesystem states, IO failures, and general protection faults. The root cause is a timing window where the transaction state changes and memory deallocation overlap with concurrent fsync calls. Exploitation of this vulnerability can cause system instability, kernel crashes (kernel panic), and potential data corruption or loss on Btrfs volumes. The vulnerability affects Linux kernel versions containing the vulnerable commit ef67963dac255b293e19815ea3d440567be4626f and has been publicly disclosed without a CVSS score or known exploits in the wild. The issue is critical for systems relying on Btrfs for storage, especially those with high concurrency and fsync usage patterns, such as servers and enterprise storage solutions.
Potential Impact
For European organizations, the impact of CVE-2021-46958 can be significant, particularly for enterprises and data centers using Linux servers with Btrfs filesystems. The vulnerability can lead to unexpected system crashes and forced readonly filesystem states, resulting in service disruptions and potential data loss. This is especially critical for industries requiring high availability and data integrity, such as financial services, healthcare, telecommunications, and government infrastructure. The use-after-free condition could be leveraged by attackers with local access to cause denial of service or potentially escalate privileges by corrupting kernel memory, although no public exploit is known. The instability may also affect cloud service providers and hosting companies operating Linux-based infrastructure in Europe, impacting their customers. Additionally, organizations relying on Btrfs snapshots and fsync for data consistency might face increased risk of data corruption. The lack of a CVSS score and known exploits suggests the threat is currently theoretical but warrants prompt attention due to the kernel-level impact and potential for severe operational consequences.
Mitigation Recommendations
1. Immediate patching: Apply the latest Linux kernel updates that include the fix for CVE-2021-46958. Monitor vendor advisories for backported patches in enterprise distributions such as Ubuntu, Debian, Red Hat, SUSE, and others common in Europe. 2. Filesystem usage review: Where possible, evaluate the necessity of Btrfs for critical workloads. Consider migrating sensitive data to alternative filesystems (e.g., ext4, XFS) until patches are applied. 3. Limit fsync concurrency: Reduce concurrent fsync operations on Btrfs volumes by tuning application behavior or workload scheduling to minimize race conditions. 4. Access control: Restrict local user access to systems with Btrfs volumes to trusted personnel only, as exploitation requires local code execution or user interaction. 5. Monitoring and alerting: Implement kernel crash and filesystem error monitoring to detect early signs of exploitation or instability. 6. Backup and recovery: Ensure robust backup strategies are in place for Btrfs volumes to mitigate potential data loss from filesystem corruption. 7. Testing: Before deploying kernel updates in production, test patches in staging environments to confirm stability and compatibility with existing workloads.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-27T18:42:55.939Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe98d3
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 6:10:27 PM
Last updated: 7/31/2025, 11:18:09 AM
Views: 9
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.