CVE-2025-21658: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-21658 is a NULL pointer dereference vulnerability discovered in the Linux kernel's BTRFS filesystem implementation. The vulnerability was disclosed on January 21, 2025, affecting Linux kernel versions from 5.11 up to versions before 6.6.72, 6.7 through 6.12.10, and various release candidates of version 6.13 (NVD).

The vulnerability occurs in the BTRFS filesystem when attempting to perform a scrub operation on a corrupted filesystem where the extent tree root is invalid. The issue manifests in the scrubfindfillfirststripe() function, which fails to properly handle NULL extent roots, leading to a NULL pointer dereference. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a kernel crash through a NULL pointer dereference, resulting in a denial of service condition. The issue specifically affects systems using the BTRFS filesystem with corrupted extent trees, particularly when mounted with the 'rescue=all,ro' option (Kernel Patch).

The vulnerability has been patched by adding an extra validation check for a valid extent root at the beginning of the scrubfindfillfirststripe() function. The fix has been implemented in Linux kernel version 6.6.72 and later versions. For kernels older than 6.6, the fix requires manual backporting (Kernel Patch).