CVE-2025-37931: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do bit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation start = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as 0 + 1 * fs_info->sectorsize = 4096 4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit.
AI Analysis
Technical Summary
CVE-2025-37931 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically related to the handling of extent buffer (EB) metadata writes when using certain page, node, and sector sizes. The issue arises in configurations where the system uses a 64k page size, 16k node size, and 4k sector size. The vulnerability is due to incorrect handling of the subpage bitmap that tracks dirty ranges of extent buffers. When scanning the bitmap for dirty blocks, the code increments the bit_start pointer incorrectly if the current range is clean, advancing by one bit instead of by the number of sectors per node. This causes misalignment between the bitmap bits and the radix tree offsets used to track extent buffers. As a result, some dirty extent buffers are skipped during write-out operations, leading to metadata write omissions. This can cause tree log corruption and ultimately filesystem metadata corruption. The root cause is the use of fs_info->sectorsize_bits for addressing nodes, which does not align correctly with the bitmap layout in the affected configurations. The fix involves always incrementing bit_start by sectors_per_node to maintain correct alignment and ensure all dirty extent buffers are properly written out. This vulnerability affects all metadata writes in the Btrfs filesystem under the specified configuration and can lead to filesystem corruption, data loss, and potential system instability. No known exploits are reported in the wild as of now, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to data integrity and availability on Linux systems using the Btrfs filesystem with the affected configurations (64k page size, 16k node size, 4k sector size). Many enterprise Linux distributions and cloud providers in Europe support Btrfs, especially for advanced storage features like snapshots and checksumming. Metadata corruption can lead to data loss, system crashes, and prolonged downtime, impacting critical business operations, especially in sectors relying on high data integrity such as finance, healthcare, and government. Since the issue affects metadata writes, it can cause silent corruption that may not be immediately detected, increasing the risk of cascading failures or data recovery challenges. The vulnerability does not require user interaction or authentication to be triggered, as it is a kernel-level filesystem bug, but exploitation requires the system to be running the specific kernel and filesystem configuration. The absence of known exploits reduces immediate risk, but the potential for severe data corruption makes timely patching essential. Organizations using Btrfs in production environments, particularly with custom kernel builds or specialized hardware configurations, should prioritize assessment and remediation to avoid operational disruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patch that corrects the bitmap handling logic in the Btrfs filesystem to ensure proper incrementing of bit_start by sectors_per_node. Monitor Linux kernel mailing lists and vendor advisories for updated kernel releases containing this fix. 2. For organizations using custom or long-term support kernels, backport the patch to maintain stability while addressing the vulnerability. 3. Conduct thorough filesystem integrity checks (e.g., using btrfs scrub and btrfs check) after patching to detect and repair any existing corruption caused by this issue. 4. Implement regular backups and snapshot strategies to minimize data loss risk in case of filesystem corruption. 5. Monitor system logs and kernel messages for signs of Btrfs metadata errors or tree log corruption to detect early signs of exploitation or impact. 6. Avoid running configurations with the vulnerable combination of page size, node size, and sector size if patching is delayed, or consider migrating critical workloads to alternative filesystems temporarily. 7. Engage with Linux distribution vendors to confirm the availability of patched kernel versions and coordinate timely deployment in production environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2025-37931: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: adjust subpage bit start based on sectorsize When running machines with 64k page size and a 16k nodesize we started seeing tree log corruption in production. This turned out to be because we were not writing out dirty blocks sometimes, so this in fact affects all metadata writes. When writing out a subpage EB we scan the subpage bitmap for a dirty range. If the range isn't dirty we do bit_start++; to move onto the next bit. The problem is the bitmap is based on the number of sectors that an EB has. So in this case, we have a 64k pagesize, 16k nodesize, but a 4k sectorsize. This means our bitmap is 4 bits for every node. With a 64k page size we end up with 4 nodes per page. To make this easier this is how everything looks [0 16k 32k 48k ] logical address [0 4 8 12 ] radix tree offset [ 64k page ] folio [ 16k eb ][ 16k eb ][ 16k eb ][ 16k eb ] extent buffers [ | | | | | | | | | | | | | | | | ] bitmap Now we use all of our addressing based on fs_info->sectorsize_bits, so as you can see the above our 16k eb->start turns into radix entry 4. When we find a dirty range for our eb, we correctly do bit_start += sectors_per_node, because if we start at bit 0, the next bit for the next eb is 4, to correspond to eb->start 16k. However if our range is clean, we will do bit_start++, which will now put us offset from our radix tree entries. In our case, assume that the first time we check the bitmap the block is not dirty, we increment bit_start so now it == 1, and then we loop around and check again. This time it is dirty, and we go to find that start using the following equation start = folio_start + bit_start * fs_info->sectorsize; so in the case above, eb->start 0 is now dirty, and we calculate start as 0 + 1 * fs_info->sectorsize = 4096 4096 >> 12 = 1 Now we're looking up the radix tree for 1, and we won't find an eb. What's worse is now we're using bit_start == 1, so we do bit_start += sectors_per_node, which is now 5. If that eb is dirty we will run into the same thing, we will look at an offset that is not populated in the radix tree, and now we're skipping the writeout of dirty extent buffers. The best fix for this is to not use sectorsize_bits to address nodes, but that's a larger change. Since this is a fs corruption problem fix it simply by always using sectors_per_node to increment the start bit.
AI-Powered Analysis
Technical Analysis
CVE-2025-37931 is a vulnerability identified in the Linux kernel's Btrfs filesystem implementation, specifically related to the handling of extent buffer (EB) metadata writes when using certain page, node, and sector sizes. The issue arises in configurations where the system uses a 64k page size, 16k node size, and 4k sector size. The vulnerability is due to incorrect handling of the subpage bitmap that tracks dirty ranges of extent buffers. When scanning the bitmap for dirty blocks, the code increments the bit_start pointer incorrectly if the current range is clean, advancing by one bit instead of by the number of sectors per node. This causes misalignment between the bitmap bits and the radix tree offsets used to track extent buffers. As a result, some dirty extent buffers are skipped during write-out operations, leading to metadata write omissions. This can cause tree log corruption and ultimately filesystem metadata corruption. The root cause is the use of fs_info->sectorsize_bits for addressing nodes, which does not align correctly with the bitmap layout in the affected configurations. The fix involves always incrementing bit_start by sectors_per_node to maintain correct alignment and ensure all dirty extent buffers are properly written out. This vulnerability affects all metadata writes in the Btrfs filesystem under the specified configuration and can lead to filesystem corruption, data loss, and potential system instability. No known exploits are reported in the wild as of now, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a significant risk to data integrity and availability on Linux systems using the Btrfs filesystem with the affected configurations (64k page size, 16k node size, 4k sector size). Many enterprise Linux distributions and cloud providers in Europe support Btrfs, especially for advanced storage features like snapshots and checksumming. Metadata corruption can lead to data loss, system crashes, and prolonged downtime, impacting critical business operations, especially in sectors relying on high data integrity such as finance, healthcare, and government. Since the issue affects metadata writes, it can cause silent corruption that may not be immediately detected, increasing the risk of cascading failures or data recovery challenges. The vulnerability does not require user interaction or authentication to be triggered, as it is a kernel-level filesystem bug, but exploitation requires the system to be running the specific kernel and filesystem configuration. The absence of known exploits reduces immediate risk, but the potential for severe data corruption makes timely patching essential. Organizations using Btrfs in production environments, particularly with custom kernel builds or specialized hardware configurations, should prioritize assessment and remediation to avoid operational disruptions.
Mitigation Recommendations
1. Apply the official Linux kernel patch that corrects the bitmap handling logic in the Btrfs filesystem to ensure proper incrementing of bit_start by sectors_per_node. Monitor Linux kernel mailing lists and vendor advisories for updated kernel releases containing this fix. 2. For organizations using custom or long-term support kernels, backport the patch to maintain stability while addressing the vulnerability. 3. Conduct thorough filesystem integrity checks (e.g., using btrfs scrub and btrfs check) after patching to detect and repair any existing corruption caused by this issue. 4. Implement regular backups and snapshot strategies to minimize data loss risk in case of filesystem corruption. 5. Monitor system logs and kernel messages for signs of Btrfs metadata errors or tree log corruption to detect early signs of exploitation or impact. 6. Avoid running configurations with the vulnerable combination of page size, node size, and sector size if patching is delayed, or consider migrating critical workloads to alternative filesystems temporarily. 7. Engage with Linux distribution vendors to confirm the availability of patched kernel versions and coordinate timely deployment in production environments.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2025-04-16T04:51:23.970Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0f71484d88663aeaf9e
Added to database: 5/20/2025, 6:59:03 PM
Last enriched: 7/4/2025, 1:55:55 AM
Last updated: 8/9/2025, 3:39:18 PM
Views: 20
Related Threats
CVE-2025-26398: CWE-798 Use of Hard-coded Credentials in SolarWinds Database Performance Analyzer
MediumCVE-2025-41686: CWE-306 Missing Authentication for Critical Function in Phoenix Contact DaUM
HighCVE-2025-8874: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in litonice13 Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations
MediumCVE-2025-8767: CWE-1236 Improper Neutralization of Formula Elements in a CSV File in anwppro AnWP Football Leagues
MediumCVE-2025-8482: CWE-862 Missing Authorization in 10up Simple Local Avatars
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.