Vulnerability DatabaseCVE-2025-40209

CVE-2025-40209:
Linux Debian vulnerability analysis and mitigation

Overview

A memory leak vulnerability was discovered in the Linux kernel's BTRFS filesystem component, identified as CVE-2025-40209. The issue was disclosed on November 21, 2025, affecting the btrfsaddqgroup_relation function when handling invalid qgroup levels (NVD).

Technical details

The vulnerability occurs in the btrfsaddqgrouprelation() function when called with invalid qgroup levels (src >= dst). The function returns -EINVAL directly without freeing the preallocated qgrouplist structure passed by the caller. This happens because the level validation check occurs before the mutex acquisition and before any error handling path that would free the prealloc pointer. The cleanup code at the 'out' label is never reached, resulting in a 64-byte memory leak per failed operation (NVD, Debian Tracker).

Impact

The vulnerability can be triggered repeatedly by an unprivileged user with access to a writable btrfs mount, potentially leading to kernel memory exhaustion. Each failed operation results in a 64-byte memory leak (NVD).

Mitigation and workarounds

The fix involves ensuring prealloc is freed before the early return, guaranteeing that prealloc is always freed on all error paths. This prevents the memory leak condition from occurring (NVD).

Additional resources

Source: This report was generated using AI

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-13470	HIGH	7.7	Linux Debian	rnp	No	Yes	Nov 21, 2025
CVE-2025-62626	HIGH	7.2	Echo	libertas-sd8686-firmware	No	Yes	Nov 21, 2025
CVE-2025-40211	N/A	N/A	Linux Kernel	kernel-rt-64k-modules-internal	No	Yes	Nov 21, 2025
CVE-2025-40210	N/A	N/A	Echo	linux	No	Yes	Nov 21, 2025
CVE-2025-40209	N/A	N/A	Linux Debian	linux	No	Yes	Nov 21, 2025