CVE-2025-71159

{"id": "CVE-2025-71159", "cveTags": [], "metrics": {}, "published": "2026-01-23T16:15:52.793", "references": [{"url": "https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node()\n\nPreviously, btrfs_get_or_create_delayed_node() set the delayed_node's\nrefcount before acquiring the root->delayed_nodes lock.\nCommit e8513c012de7 (\"btrfs: implement ref_tracker for delayed_nodes\")\nmoved refcount_set inside the critical section, which means there is\nno longer a memory barrier between setting the refcount and setting\nbtrfs_inode->delayed_node.\n\nWithout that barrier, the stores to node->refs and\nbtrfs_inode->delayed_node may become visible out of order. Another\nthread can then read btrfs_inode->delayed_node and attempt to\nincrement a refcount that hasn't been set yet, leading to a\nrefcounting bug and a use-after-free warning.\n\nThe fix is to move refcount_set back to where it was to take\nadvantage of the implicit memory barrier provided by lock\nacquisition.\n\nBecause the allocations now happen outside of the lock's critical\nsection, they can use GFP_NOFS instead of GFP_ATOMIC."}], "lastModified": "2026-01-26T15:03:51.687", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}