Memory Leak Vulnerability in Btrfs File System by Linux Kernel
CVE-2025-40209

Currently unrated

Key Information:

Vendor: Linux
Status: Linux
Vendor: CVE Published:; 21 November 2025

What is CVE-2025-40209?

A memory leak vulnerability exists in the Btrfs file system within the Linux Kernel, specifically in the function btrfs_add_qgroup_relation(). The issue arises when invalid qgroup levels are provided, causing the function to return an error without releasing a preallocated qgroup_list structure. This oversight results in a memory leak, as the pointer to the structure cannot be cleaned up effectively by the caller. Unprivileged users with write access to a Btrfs mount can exploit this flaw to exhaust system memory by repeatedly triggering the leak.

Affected Version(s)

Linux 4addc1ffd67ad34394674dc91379dc04cfdd2537 < 3412d0e973e8f8381747d69033eda809a57a2581

Linux 4addc1ffd67ad34394674dc91379dc04cfdd2537

References

https://git.kernel.org/stable/c/3412d0e973e8f8381747d6903...

https://git.kernel.org/stable/c/a4d9ebe23bcb79d9d057e3c99...

https://git.kernel.org/stable/c/f260c6aff0b8af236084012d1...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2025
Vulnerability Reserved
Apr 16, 2025

JSON