Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2025-37827

Severity CVSS v4.0:
Pending analysis
Type:
CWE-476 NULL Pointer Dereference
Publication date:
08/05/2025
Last modified:
12/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> btrfs: zoned: return EIO on RAID1 block group write pointer mismatch<br /> <br /> There was a bug report about a NULL pointer dereference in<br /> __btrfs_add_free_space_zoned() that ultimately happens because a<br /> conversion from the default metadata profile DUP to a RAID1 profile on two<br /> disks.<br /> <br /> The stack trace has the following signature:<br /> <br /> BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile<br /> BUG: kernel NULL pointer dereference, address: 0000000000000058<br /> #PF: supervisor read access in kernel mode<br /> #PF: error_code(0x0000) - not-present page<br /> PGD 0 P4D 0<br /> Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI<br /> RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0<br /> RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001<br /> RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410<br /> RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000<br /> R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000<br /> R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000<br /> FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0<br /> Call Trace:<br /> <br /> ? __die_body.cold+0x19/0x27<br /> ? page_fault_oops+0x15c/0x2f0<br /> ? exc_page_fault+0x7e/0x180<br /> ? asm_exc_page_fault+0x26/0x30<br /> ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0<br /> btrfs_add_free_space_async_trimmed+0x34/0x40<br /> btrfs_add_new_free_space+0x107/0x120<br /> btrfs_make_block_group+0x104/0x2b0<br /> btrfs_create_chunk+0x977/0xf20<br /> btrfs_chunk_alloc+0x174/0x510<br /> ? srso_return_thunk+0x5/0x5f<br /> btrfs_inc_block_group_ro+0x1b1/0x230<br /> btrfs_relocate_block_group+0x9e/0x410<br /> btrfs_relocate_chunk+0x3f/0x130<br /> btrfs_balance+0x8ac/0x12b0<br /> ? srso_return_thunk+0x5/0x5f<br /> ? srso_return_thunk+0x5/0x5f<br /> ? __kmalloc_cache_noprof+0x14c/0x3e0<br /> btrfs_ioctl+0x2686/0x2a80<br /> ? srso_return_thunk+0x5/0x5f<br /> ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120<br /> __x64_sys_ioctl+0x97/0xc0<br /> do_syscall_64+0x82/0x160<br /> ? srso_return_thunk+0x5/0x5f<br /> ? __memcg_slab_free_hook+0x11a/0x170<br /> ? srso_return_thunk+0x5/0x5f<br /> ? kmem_cache_free+0x3f0/0x450<br /> ? srso_return_thunk+0x5/0x5f<br /> ? srso_return_thunk+0x5/0x5f<br /> ? syscall_exit_to_user_mode+0x10/0x210<br /> ? srso_return_thunk+0x5/0x5f<br /> ? do_syscall_64+0x8e/0x160<br /> ? sysfs_emit+0xaf/0xc0<br /> ? srso_return_thunk+0x5/0x5f<br /> ? srso_return_thunk+0x5/0x5f<br /> ? seq_read_iter+0x207/0x460<br /> ? srso_return_thunk+0x5/0x5f<br /> ? vfs_read+0x29c/0x370<br /> ? srso_return_thunk+0x5/0x5f<br /> ? srso_return_thunk+0x5/0x5f<br /> ? syscall_exit_to_user_mode+0x10/0x210<br /> ? srso_return_thunk+0x5/0x5f<br /> ? do_syscall_64+0x8e/0x160<br /> ? srso_return_thunk+0x5/0x5f<br /> ? exc_page_fault+0x7e/0x180<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> RIP: 0033:0x7fdab1e0ca6d<br /> RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d<br /> RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003<br /> RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013<br /> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000<br /> R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001<br /> <br /> CR2: 0000000000000058<br /> ---[ end trace 0000000000000000 ]---<br /> <br /> The 1st line is the most interesting here:<br /> <br /> BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile<br /> <br /> When a RAID1 block-group is created and a write pointer mismatch between<br /> the disks in the RAID set is detected, btrfs sets the alloc_offset to the<br /> length of the block group marking it as full. Afterwards the code expects<br /> that a balance operation will evacuate the data in this block-group and<br /> repair the problems.<br /> <br /> But before this is possible, the new space of this block-group will be<br /> accounted in the free space cache. But in __btrfs_<br /> ---truncated---

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x
5.50
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.10.10 (including) 6.11 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.11.1 (including) 6.12.26 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.13 (including) 6.14.5 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.15:rc3:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools