CVE-2025-40101

Root

Cause In the Linux kernel's btrfs filesystem, the function btrfs_load_block_group_zone_info() performs zone information loading for block groups. At the end of this function, a check is made to ensure that if the mapping type is not a SINGLE profile and there is no RAID stripe tree (RST) present, the function returns early with an error [1]. However, this early return path bypasses the cleanup code that frees memory allocated earlier in the function, leading to a memory leak [1].

Exploitation

An attacker with the ability to trigger the loading of a block group zone info with a non-SINGLE data profile on a btrfs filesystem that lacks a RAID stripe tree can cause the kernel to leak memory. This requires local access to the system and the ability to manipulate btrfs volume profiles (e.g., by mounting or resizing a filesystem). No authentication beyond normal user access is needed, as the attacker may be able to trigger the condition through filesystem operations.

Impact

The vulnerability results in kernel memory leaks over time. Repeatedly triggering the bug could exhaust system memory, potentially leading to denial of service (DoS). This is a kernel-level vulnerability that affects overall system stability and availability.

Mitigation

The fix has been included in the Linux kernel stable tree as commit 187333e6d484c6630286bfdd07c79d6815a63887 [1]. Users should apply the latest stable kernel updates to resolve the issue. No workarounds other than avoiding non-SINGLE profiles without an RST are available, which is not possible in all configurations.