CVE-2025-21753: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when attempting to join an aborted transaction When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fs_info->trans_lock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free. Fix this by reading the 'aborted' field while holding fs_info->trans_lock since any freeing task must first acquire that lock and set fs_info->running_transaction to NULL before freeing the transaction. This was reported by syzbot and Dmitry with the following stack traces from KASAN: ================================================================== BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound btrfs_async_reclaim_data_space Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5315: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_creat fs/open.c:1495 [inline] __se_sys_creat fs/open.c:1489 [inline] __x64_sys_creat+0x123/0x170 fs/open.c:1489 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5336: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 cleanup_transaction fs/btrfs/transaction.c:2063 [inline] btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfs_balance+0x992/ ---truncated---
AI Analysis
Technical Summary
CVE-2025-21753 is a high-severity use-after-free vulnerability in the Linux kernel's Btrfs filesystem implementation. Specifically, the flaw occurs when attempting to join an aborted transaction. The vulnerability arises because the code reads the 'aborted' field of the current transaction after releasing the fs_info->trans_lock mutex and without holding an additional reference count on the transaction object. This creates a race condition where a concurrent task aborting the transaction may free the transaction structure before the 'aborted' field is accessed, leading to a use-after-free scenario. This type of memory corruption can cause kernel crashes, data corruption, or potentially allow an attacker to execute arbitrary code in kernel space. The issue was identified by syzbot and Dmitry via Kernel Address Sanitizer (KASAN) reports, which provided detailed stack traces confirming the use-after-free in the join_transaction function within fs/btrfs/transaction.c. The root cause is improper synchronization and reference counting around transaction objects during concurrent abort and join operations. The fix involves reading the 'aborted' field while holding the fs_info->trans_lock mutex, ensuring that any freeing task must first acquire this lock and set fs_info->running_transaction to NULL before freeing the transaction, thus preventing the race condition. This vulnerability affects Linux kernel versions prior to the patch and impacts systems using the Btrfs filesystem, which is commonly used for advanced storage management and snapshotting. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity, requiring low privileges but no user interaction. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a significant risk for systems running vulnerable kernel versions with Btrfs enabled.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for enterprises and service providers relying on Linux servers with Btrfs filesystems. The use-after-free can lead to system crashes (denial of service), data corruption, or privilege escalation if exploited, potentially allowing attackers to gain kernel-level code execution. This could compromise sensitive data confidentiality and integrity, disrupt critical services, and impact availability. Organizations running cloud infrastructure, data centers, or storage servers with Btrfs are particularly vulnerable. Given the widespread use of Linux in European public sector, finance, telecommunications, and research institutions, exploitation could lead to severe operational disruptions and data breaches. The vulnerability requires local or low-privilege access but no user interaction, making it feasible for attackers who have gained limited access to escalate privileges or cause system instability. The absence of known exploits currently provides a window for mitigation, but the high severity and kernel-level impact necessitate urgent patching to prevent potential targeted attacks or wormable scenarios in multi-tenant environments.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that fix this vulnerability is critical. Organizations should update to the latest stable kernel versions that include the fix for CVE-2025-21753. 2. If immediate patching is not feasible, consider disabling or avoiding the use of Btrfs filesystem on critical systems until patched. 3. Implement strict access controls and monitoring to limit local user access, as exploitation requires at least low privileges on the system. 4. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enable Kernel Memory Protection features to reduce exploitation risk. 5. Monitor system logs and kernel crash reports for signs of use-after-free or abnormal behavior related to Btrfs transactions. 6. In multi-tenant or cloud environments, isolate workloads and enforce strict privilege separation to reduce the attack surface. 7. Regularly audit and update Linux kernel versions as part of patch management policies to ensure timely remediation of such vulnerabilities. 8. Engage with Linux distribution vendors for backported patches if using long-term support kernels.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-21753: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free when attempting to join an aborted transaction When we are trying to join the current transaction and if it's aborted, we read its 'aborted' field after unlocking fs_info->trans_lock and without holding any extra reference count on it. This means that a concurrent task that is aborting the transaction may free the transaction before we read its 'aborted' field, leading to a use-after-free. Fix this by reading the 'aborted' field while holding fs_info->trans_lock since any freeing task must first acquire that lock and set fs_info->running_transaction to NULL before freeing the transaction. This was reported by syzbot and Dmitry with the following stack traces from KASAN: ================================================================== BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128 CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound btrfs_async_reclaim_data_space Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803 btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 5315: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329 kmalloc_noprof include/linux/slab.h:901 [inline] join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308 start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697 btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572 lookup_open fs/namei.c:3649 [inline] open_last_lookups fs/namei.c:3748 [inline] path_openat+0x1c03/0x3590 fs/namei.c:3984 do_filp_open+0x27f/0x4e0 fs/namei.c:4014 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402 do_sys_open fs/open.c:1417 [inline] __do_sys_creat fs/open.c:1495 [inline] __se_sys_creat fs/open.c:1489 [inline] __x64_sys_creat+0x123/0x170 fs/open.c:1489 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5336: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4613 [inline] kfree+0x196/0x430 mm/slub.c:4761 cleanup_transaction fs/btrfs/transaction.c:2063 [inline] btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598 insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757 btrfs_balance+0x992/ ---truncated---
AI-Powered Analysis
Technical Analysis
CVE-2025-21753 is a high-severity use-after-free vulnerability in the Linux kernel's Btrfs filesystem implementation. Specifically, the flaw occurs when attempting to join an aborted transaction. The vulnerability arises because the code reads the 'aborted' field of the current transaction after releasing the fs_info->trans_lock mutex and without holding an additional reference count on the transaction object. This creates a race condition where a concurrent task aborting the transaction may free the transaction structure before the 'aborted' field is accessed, leading to a use-after-free scenario. This type of memory corruption can cause kernel crashes, data corruption, or potentially allow an attacker to execute arbitrary code in kernel space. The issue was identified by syzbot and Dmitry via Kernel Address Sanitizer (KASAN) reports, which provided detailed stack traces confirming the use-after-free in the join_transaction function within fs/btrfs/transaction.c. The root cause is improper synchronization and reference counting around transaction objects during concurrent abort and join operations. The fix involves reading the 'aborted' field while holding the fs_info->trans_lock mutex, ensuring that any freeing task must first acquire this lock and set fs_info->running_transaction to NULL before freeing the transaction, thus preventing the race condition. This vulnerability affects Linux kernel versions prior to the patch and impacts systems using the Btrfs filesystem, which is commonly used for advanced storage management and snapshotting. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability with low attack complexity, requiring low privileges but no user interaction. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a significant risk for systems running vulnerable kernel versions with Btrfs enabled.
Potential Impact
For European organizations, this vulnerability poses a significant risk especially for enterprises and service providers relying on Linux servers with Btrfs filesystems. The use-after-free can lead to system crashes (denial of service), data corruption, or privilege escalation if exploited, potentially allowing attackers to gain kernel-level code execution. This could compromise sensitive data confidentiality and integrity, disrupt critical services, and impact availability. Organizations running cloud infrastructure, data centers, or storage servers with Btrfs are particularly vulnerable. Given the widespread use of Linux in European public sector, finance, telecommunications, and research institutions, exploitation could lead to severe operational disruptions and data breaches. The vulnerability requires local or low-privilege access but no user interaction, making it feasible for attackers who have gained limited access to escalate privileges or cause system instability. The absence of known exploits currently provides a window for mitigation, but the high severity and kernel-level impact necessitate urgent patching to prevent potential targeted attacks or wormable scenarios in multi-tenant environments.
Mitigation Recommendations
1. Immediate application of the official Linux kernel patches that fix this vulnerability is critical. Organizations should update to the latest stable kernel versions that include the fix for CVE-2025-21753. 2. If immediate patching is not feasible, consider disabling or avoiding the use of Btrfs filesystem on critical systems until patched. 3. Implement strict access controls and monitoring to limit local user access, as exploitation requires at least low privileges on the system. 4. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), Kernel Page Table Isolation (KPTI), and enable Kernel Memory Protection features to reduce exploitation risk. 5. Monitor system logs and kernel crash reports for signs of use-after-free or abnormal behavior related to Btrfs transactions. 6. In multi-tenant or cloud environments, isolate workloads and enforce strict privilege separation to reduce the attack surface. 7. Regularly audit and update Linux kernel versions as part of patch management policies to ensure timely remediation of such vulnerabilities. 8. Engage with Linux distribution vendors for backported patches if using long-term support kernels.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-29T08:45:45.760Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9832c4522896dcbe86c4
Added to database: 5/21/2025, 9:09:06 AM
Last enriched: 7/3/2025, 4:27:37 AM
Last updated: 8/18/2025, 11:35:25 PM
Views: 19
Related Threats
CVE-2025-9249: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9248: Stack-based Buffer Overflow in Linksys RE6250
HighCVE-2025-9247: Stack-based Buffer Overflow in Linksys RE6250
HighRussian State Hackers Exploit 7-Year-Old Cisco Router Vulnerability
HighCVE-2025-54988: CWE-611 Improper Restriction of XML External Entity Reference in Apache Software Foundation Apache Tika PDF parser module
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.