CVE-2025-21658: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547513ff ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport.
AI Analysis
Technical Summary
CVE-2025-21658 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation. The issue arises from a NULL pointer dereference triggered when the extent tree root is corrupted or invalid. Specifically, the vulnerability occurs during the scrub operation, which is designed to check and repair filesystem integrity by scanning data and metadata extents. The scrub process relies on the extent tree to locate these extents. However, if the extent tree root is corrupted, as can happen with a damaged or malformed filesystem image mounted with the "rescue=all,ro" option, the function scrub_find_fill_first_stripe() attempts to use a NULL extent root pointer. This leads to a kernel NULL pointer dereference and a consequent kernel crash (Oops). The root cause is that scrub_find_fill_first_stripe() does not validate the extent root pointer before dereferencing it. The fix involves adding a check for a valid extent root at the start of this function to prevent dereferencing a NULL pointer. This vulnerability affects Linux kernels prior to version 6.6, and older kernels require manual backporting of the fix. The issue was initially reported by Syzbot, an automated kernel fuzzing tool, and no known exploits are currently reported in the wild. The vulnerability is triggered by corrupted Btrfs filesystem images, which may be encountered in scenarios involving disk corruption or maliciously crafted filesystem images. The impact is a denial of service via kernel crash, which can disrupt system availability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels older than 6.6 that utilize the Btrfs filesystem, especially in environments where disk integrity checks (scrubs) are regularly performed. The denial of service caused by kernel crashes can lead to system downtime, impacting critical services and operations. Organizations relying on Btrfs for data storage, including cloud providers, hosting services, and enterprises using Linux-based infrastructure, may experience disruptions. Although the vulnerability does not appear to allow privilege escalation or data corruption directly, the forced reboot or crash can interrupt business continuity and potentially cause data loss if unsaved data is present. Additionally, systems exposed to untrusted or potentially corrupted storage media or images could be more vulnerable to triggering this flaw. Given the widespread use of Linux in European data centers, telecommunications, and government infrastructure, the impact could be significant if unpatched systems are exploited or inadvertently triggered. However, the absence of known exploits in the wild and the requirement for a corrupted filesystem image to trigger the vulnerability somewhat limits immediate risk.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to version 6.6 or later where the fix is included. For systems running older kernels, manual backporting of the patch is recommended to prevent exploitation. Administrators should implement rigorous filesystem integrity monitoring and avoid mounting corrupted or suspicious Btrfs images, especially with rescue options that allow read-only mounts of damaged filesystems. Regular backups and snapshots of critical data stored on Btrfs volumes can mitigate potential data loss from unexpected crashes. Additionally, organizations should consider restricting access to systems that perform scrubbing operations to trusted personnel and processes, reducing the risk of maliciously crafted images triggering the vulnerability. Monitoring kernel logs for Oops or crash messages related to Btrfs scrub operations can help detect attempts to exploit this issue. Finally, integrating kernel fuzzing and automated testing tools like Syzbot into the development and maintenance lifecycle can help identify similar vulnerabilities proactively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Italy, Spain, Poland
CVE-2025-21658: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid extent tree [BUG] Syzbot reported a crash with the following call trace: BTRFS info (device loop0): scrub: started on devid 1 BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 106e70067 P4D 106e70067 PUD 107143067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 UID: 0 PID: 689 Comm: repro Kdump: loaded Tainted: G O 6.13.0-rc4-custom+ #206 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:find_first_extent_item+0x26/0x1f0 [btrfs] Call Trace: <TASK> scrub_find_fill_first_stripe+0x13d/0x3b0 [btrfs] scrub_simple_mirror+0x175/0x260 [btrfs] scrub_stripe+0x5d4/0x6c0 [btrfs] scrub_chunk+0xbb/0x170 [btrfs] scrub_enumerate_chunks+0x2f4/0x5f0 [btrfs] btrfs_scrub_dev+0x240/0x600 [btrfs] btrfs_ioctl+0x1dc8/0x2fa0 [btrfs] ? do_sys_openat2+0xa5/0xf0 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x4f/0x120 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> [CAUSE] The reproducer is using a corrupted image where extent tree root is corrupted, thus forcing to use "rescue=all,ro" mount option to mount the image. Then it triggered a scrub, but since scrub relies on extent tree to find where the data/metadata extents are, scrub_find_fill_first_stripe() relies on an non-empty extent root. But unfortunately scrub_find_fill_first_stripe() doesn't really expect an NULL pointer for extent root, it use extent_root to grab fs_info and triggered a NULL pointer dereference. [FIX] Add an extra check for a valid extent root at the beginning of scrub_find_fill_first_stripe(). The new error path is introduced by 42437a6386ff ("btrfs: introduce mount option rescue=ignorebadroots"), but that's pretty old, and later commit b979547513ff ("btrfs: scrub: introduce helper to find and fill sector info for a scrub_stripe") changed how we do scrub. So for kernels older than 6.6, the fix will need manual backport.
AI-Powered Analysis
Technical Analysis
CVE-2025-21658 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation. The issue arises from a NULL pointer dereference triggered when the extent tree root is corrupted or invalid. Specifically, the vulnerability occurs during the scrub operation, which is designed to check and repair filesystem integrity by scanning data and metadata extents. The scrub process relies on the extent tree to locate these extents. However, if the extent tree root is corrupted, as can happen with a damaged or malformed filesystem image mounted with the "rescue=all,ro" option, the function scrub_find_fill_first_stripe() attempts to use a NULL extent root pointer. This leads to a kernel NULL pointer dereference and a consequent kernel crash (Oops). The root cause is that scrub_find_fill_first_stripe() does not validate the extent root pointer before dereferencing it. The fix involves adding a check for a valid extent root at the start of this function to prevent dereferencing a NULL pointer. This vulnerability affects Linux kernels prior to version 6.6, and older kernels require manual backporting of the fix. The issue was initially reported by Syzbot, an automated kernel fuzzing tool, and no known exploits are currently reported in the wild. The vulnerability is triggered by corrupted Btrfs filesystem images, which may be encountered in scenarios involving disk corruption or maliciously crafted filesystem images. The impact is a denial of service via kernel crash, which can disrupt system availability.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems running Linux kernels older than 6.6 that utilize the Btrfs filesystem, especially in environments where disk integrity checks (scrubs) are regularly performed. The denial of service caused by kernel crashes can lead to system downtime, impacting critical services and operations. Organizations relying on Btrfs for data storage, including cloud providers, hosting services, and enterprises using Linux-based infrastructure, may experience disruptions. Although the vulnerability does not appear to allow privilege escalation or data corruption directly, the forced reboot or crash can interrupt business continuity and potentially cause data loss if unsaved data is present. Additionally, systems exposed to untrusted or potentially corrupted storage media or images could be more vulnerable to triggering this flaw. Given the widespread use of Linux in European data centers, telecommunications, and government infrastructure, the impact could be significant if unpatched systems are exploited or inadvertently triggered. However, the absence of known exploits in the wild and the requirement for a corrupted filesystem image to trigger the vulnerability somewhat limits immediate risk.
Mitigation Recommendations
European organizations should prioritize updating Linux kernels to version 6.6 or later where the fix is included. For systems running older kernels, manual backporting of the patch is recommended to prevent exploitation. Administrators should implement rigorous filesystem integrity monitoring and avoid mounting corrupted or suspicious Btrfs images, especially with rescue options that allow read-only mounts of damaged filesystems. Regular backups and snapshots of critical data stored on Btrfs volumes can mitigate potential data loss from unexpected crashes. Additionally, organizations should consider restricting access to systems that perform scrubbing operations to trusted personnel and processes, reducing the risk of maliciously crafted images triggering the vulnerability. Monitoring kernel logs for Oops or crash messages related to Btrfs scrub operations can help detect attempts to exploit this issue. Finally, integrating kernel fuzzing and automated testing tools like Syzbot into the development and maintenance lifecycle can help identify similar vulnerabilities proactively.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.731Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9834c4522896dcbe9768
Added to database: 5/21/2025, 9:09:08 AM
Last enriched: 6/30/2025, 4:41:35 PM
Last updated: 8/11/2025, 7:47:40 AM
Views: 13
Related Threats
CVE-2025-9099: Unrestricted Upload in Acrel Environmental Monitoring Cloud Platform
MediumCVE-2025-9098: Improper Export of Android Application Components in Elseplus File Recovery App
MediumCVE-2025-31715: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
CriticalCVE-2025-31714: CWE-20 Improper Input Validation in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
MediumCVE-2025-31713: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Unisoc (Shanghai) Technologies Co., Ltd. SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.