CVE-2025-40100: 
Linux Kernel vulnerability analysis and mitigation

CVE-2025-40100 is a vulnerability discovered in the Linux kernel's BTRFS filesystem component, specifically in the free space tree creation functionality. The vulnerability was disclosed on October 30, 2025, affecting the BTRFS filesystem implementation (NVD).

The vulnerability occurs in the populatefreespacetree() function when building a free space tree without using the block group tree feature. The system incorrectly assumes the presence of block group items (either extent items or block group items with key type BTRFSBLOCKGROUPITEMKEY) during extent tree searches with btrfssearchslotfor_read(). This assumption fails when a new block group is created in the current transaction but hasn't yet had its block group item added to the extent tree. The issue manifests as a kernel assertion failure at fs/btrfs/free-space-tree.c:1115 (Red Hat).

The vulnerability results in a kernel panic when the assertion fails, leading to system instability and potential denial of service. The CVSS v3.1 base score is 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating a moderate severity local vulnerability with high availability impact (Red Hat).

The vulnerability has been fixed in the Linux kernel by removing the incorrect assertion at populatefreespace_tree() and updating the related documentation to account for the case where block group items may not be immediately present. Multiple Linux distributions have released or are in the process of releasing patched kernel versions (Debian Security Tracker).