PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-71269 Linux CVE debrief

CVE-2025-71269 is a Linux kernel Btrfs bug in inline extent handling. When inline extent creation fails with -ENOSPC, the code falls back to the normal COW path, but the reserved qgroup data was being freed as if no data would be used. The published fix changes that cleanup so qgroup data is only freed when the inline path does not fall back.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-21
Advisory published
2026-03-18
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distribution security teams, and operators running Btrfs on affected kernel versions should care, especially where quota groups (qgroups) and inline file writes are in use.

Technical summary

According to the CVE description, __cow_file_range_inline() could reach a fallback path after inline extent creation failed with -ENOSPC. In that case, the code should continue into the normal COW flow, reserve an extent, and create an ordered extent. The bug was that reserved qgroup data was always freed during this cleanup, even though the fallback path would still use the data. The fix restricts that qgroup data release to cases where no fallback occurs.

Defensive priority

Medium priority. NVD rates the issue CVSS 5.5/Medium with local attack conditions, low privileges, and high availability impact. Systems using affected Linux kernel branches with Btrfs should prioritize updating to vendor-fixed builds.

Recommended defensive actions

  • Review whether your Linux kernels fall within the affected NVD version ranges for this CVE.
  • Apply the kernel fixes referenced in the official patch links and use a vendor build that includes the backport.
  • If you operate Btrfs with qgroups, validate that your patch level includes the inline-fallback cleanup fix.
  • Track distribution security advisories for backported fixes in supported kernel streams.
  • Confirm that any rolling or custom kernels are updated beyond the affected release ranges before relying on them in production.

Evidence notes

Source evidence is limited to the CVE description, NVD metadata, and the linked kernel patches. NVD marks the vulnerability as analyzed, assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and lists affected Linux kernel ranges including 4.4 through 6.1.168, 6.2 through 6.6.134, 6.7 through 6.12.81, 6.13 through 6.18.10, and 6.19-rc1 through 6.19-rc4. NVD weakness classification is NVD-CWE-noinfo. The CVE was published on 2026-03-18 and modified on 2026-05-21.

Official resources

Publicly disclosed in the CVE record on 2026-03-18; last modified on 2026-05-21. No KEV listing was provided in the supplied source corpus.