CVE-2023-53183: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability in the Linux kernel's BTRFS filesystem implementation was identified and tracked as CVE-2023-53183. The issue was discovered when Syzbot reported a crash triggered by an ASSERT() inside the preparetomerge() function. The vulnerability was disclosed on September 15, 2025 (NVD).

The vulnerability stems from a race condition between quota tree creation and relocation processes in the BTRFS filesystem. This race condition leads to the creation of a duplicated quota tree in the btrfsreadfsroot() path. Since this duplicated tree is treated as an fs tree with ROOTSHAREABLE flag, it triggers the creation of a reloc tree, ultimately causing the ASSERT() failure (Debian Tracker).

The vulnerability affects various Linux kernel versions, with confirmed impacts on Debian distributions including bullseye (vulnerable in versions 5.10.223-1 and 5.10.237-1), while fixes have been implemented in bookworm (6.1.153-1), trixie (6.12.48-1), and sid (6.16.8-1) releases (Debian Tracker).

The issue has been resolved by replacing the problematic ASSERT() with a more graceful handling mechanism that provides additional debugging information about mismatched reloc roots. The fix also includes replacing ASSERT(0)s inside mergerelocroots() with WARN_ON()s for better error handling (NVD).