CVE-2025-39759 Cert Portal CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and administrators of systems that use Btrfs quota groups and expose quota rescan functionality. Because the issue is locally reachable and affects kernel memory safety, it matters most where untrusted or lower-privileged local users can interact with the affected filesystem features.

Technical summary

The advisory text describes a race in Btrfs qgroup handling. Task A enters btrfs_ioctl_quota_rescan() and btrfs_qgroup_rescan(), while Task B disables quotas via btrfs_quota_disable(). Task B’s wait-for-completion check can return before fs_info->qgroup_rescan_running is set, so it proceeds to btrfs_free_qgroup_config() and frees qgroup records from fs_info->qgroup_tree without taking fs_info->qgroup_lock. Meanwhile, Task A later enters qgroup_rescan_zero_tracking() and iterates the same tree while holding the lock, which can lead to a use-after-free. The described remediation is to take fs_info->qgroup_lock in btrfs_free_qgroup_config() and to avoid starting the rescan worker if quotas are already disabled. The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, which aligns with a local availability-impacting flaw.

Defensive priority

Medium. The issue is local and requires limited privileges, but it affects kernel memory safety and can produce a denial-of-service condition. Prioritize remediation on hosts that use Btrfs quotas or rely on quota rescan workflows, especially systems where local users may be able to trigger the affected ioctl path.

Recommended defensive actions

• Apply the vendor or downstream kernel fix that adds locking in btrfs_free_qgroup_config() and blocks rescan worker startup after quotas are disabled.
• Backport the patch to supported kernels in your fleet if the upstream fix is not yet included in your distribution build.
• Review whether Btrfs quota rescan functionality is needed on exposed systems, and limit access to local accounts that can invoke the relevant ioctl paths.
• Validate your affected-product mapping carefully: the supplied source corpus includes Siemens/CISA advisory references, but the vulnerability text itself describes a Linux kernel Btrfs issue, so the product association's
• evidenceNotes
• The source corpus provides a CISA CSAF record (ICSA-26-134-10) dated 2026-05-12 and modified 2026-05-14. The embedded description explicitly states the Linux kernel Btrfs qgroup race and the use-after-free scenario, and它
• resourceLinkAnnotations":[{"linkId":"source-item","note":"Primary source item in the supplied corpus; contains the CVE description, CVSS vector, and publication timeline fields used here."},{"linkId":"cve-org","note":"C
• disclosure":"Published in the supplied CISA CSAF source on 2026-05-12 and republished/modified on 2026-05-14. Use the CVE publication date from the provided timeline fields; do not infer a later generation date as the CV

Evidence notes

The source corpus provides a CISA CSAF record (ICSA-26-134-10) published on 2026-05-12 and modified on 2026-05-14. Its description explicitly states the Linux kernel Btrfs qgroup race, the use-after-free scenario, and the intended fix. The supplied vendor/product metadata points to Siemens SIMATIC CN 4100, but that mapping does not match the vulnerability description; it should be treated as low-confidence and reviewed independently.

Official resources