CVE-2022-49068 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation. The issue arises in the handling of delayed allocation (delalloc) extents during direct IO write operations. Specifically, the vulnerability occurs in the btrfs_get_blocks_direct_write() function, where the system reserves temporary outstanding extents using btrfs_delalloc_reserve_metadata() or indirectly via btrfs_delalloc_reserve_space(). However, in the case of copy-on-write (COW) operations, the length parameter ('len') can be modified, leading to an incorrect release of outstanding extents. This results in fewer extents being released than expected, causing warnings such as "WARNING: CPU: 0 PID: 757 at fs/btrfs/inode.c:8848 btrfs_destroy_inode" and indicating that there are outstanding extents left when destroying inodes. The root cause is that btrfs_delalloc_release_extents() is called with the modified length instead of the original length, which fails to properly release all reserved extents. This can be reproduced on a filesystem of approximately 1 GiB size, particularly when a short-write is triggered due to the inability to allocate a large extent, resulting in allocation of a smaller extent instead. While the vulnerability primarily causes warnings and potential inode destruction issues, it may lead to filesystem inconsistencies or data integrity problems under certain conditions. The patch involves ensuring that btrfs_delalloc_release_extents() is called with the original length to correctly release all outstanding extents. The vulnerability affects specific Linux kernel versions identified by their commit hashes and was published on February 26, 2025. There are no known exploits in the wild, and no CVSS score has been assigned yet.

For European organizations, the impact of CVE-2022-49068 centers on potential filesystem instability and data integrity risks when using the Btrfs filesystem on affected Linux kernel versions. Organizations relying on Btrfs for critical storage, especially in server environments, virtualization hosts, or cloud infrastructure, may experience unexpected warnings, inode destruction errors, or in worst cases, data corruption or loss. This could disrupt services, lead to downtime, or require recovery efforts. Since Btrfs is often used in enterprise Linux distributions and cloud platforms, the vulnerability could affect data centers, hosting providers, and enterprises with Linux-based storage solutions. The lack of known exploits reduces immediate risk, but the subtle nature of the bug means it could be triggered unintentionally during normal operations, especially under heavy IO workloads or specific allocation scenarios. European organizations with compliance requirements around data integrity and availability should consider this vulnerability significant, as filesystem corruption can have regulatory and operational consequences.

European organizations should take the following specific mitigation steps: 1) Identify and inventory Linux systems using Btrfs filesystems, focusing on kernel versions matching the affected commits. 2) Prioritize patching and upgrading the Linux kernel to versions where the fix for CVE-2022-49068 is applied, ensuring btrfs_delalloc_release_extents() is correctly called with the original length. 3) For systems where immediate patching is not feasible, implement monitoring for Btrfs warnings related to inode destruction or outstanding extents to detect potential issues early. 4) Regularly back up critical data stored on Btrfs filesystems to enable recovery in case of corruption. 5) Test filesystem integrity using Btrfs scrub and check tools after heavy IO operations or maintenance windows. 6) Consider temporary workload adjustments to reduce direct IO write pressure on Btrfs volumes until patched. 7) Engage with Linux distribution vendors for backported patches and security advisories to ensure timely updates. These steps go beyond generic advice by emphasizing targeted detection, backup, and workload management specific to Btrfs and this vulnerability.