CVE-2023-53618 in Linux
Summary
by MITRE • 10/07/2025
In the Linux kernel, the following vulnerability has been resolved:
btrfs: reject invalid reloc tree root keys with stack dump
[BUG]
Syzbot reported a crash that an ASSERT() got triggered inside prepare_to_merge().
That ASSERT() makes sure the reloc tree is properly pointed back by its subvolume tree.
[CAUSE]
After more debugging output, it turns out we had an invalid reloc tree:
BTRFS error (device loop1): reloc tree mismatch, root 8 has no reloc root, expect reloc root key (-8, 132, 8) gen 17
Note the above root key is (TREE_RELOC_OBJECTID, ROOT_ITEM, QUOTA_TREE_OBJECTID), meaning it's a reloc tree for quota tree.
But reloc trees can only exist for subvolumes, as for non-subvolume trees, we just COW the involved tree block, no need to create a reloc tree since those tree blocks won't be shared with other trees.
Only subvolumes tree can share tree blocks with other trees (thus they have BTRFS_ROOT_SHAREABLE flag).
Thus this new debug output proves my previous assumption that corrupted on-disk data can trigger that ASSERT().
[FIX]
Besides the dedicated fix and the graceful exit, also let tree-checker to check such root keys, to make sure reloc trees can only exist for subvolumes.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/20/2026
The vulnerability described in CVE-2023-53618 represents a critical flaw in the Linux kernel's btrfs file system implementation that stems from improper validation of relocation tree root keys. This issue manifests as an assertion failure within the prepare_to_merge() function, which serves as a protective mechanism to ensure that relocation trees are correctly referenced back by their corresponding subvolume trees. The vulnerability was initially discovered through syzbot automated testing, which identified a crash condition that triggered an assertion check designed to maintain data integrity within the btrfs storage subsystem.
The root cause of this vulnerability lies in the improper handling of relocation tree keys that reference non-subvolume objects. Specifically, the system encountered a relocation tree with a root key structured as (TREE_RELOC_OBJECTID, ROOT_ITEM, QUOTA_TREE_OBJECTID), which indicates an attempt to create a relocation tree for a quota tree rather than a subvolume. This represents a fundamental violation of btrfs architecture principles since relocation trees are exclusively intended for subvolumes that can share tree blocks with other trees, a property that requires the BTRFS_ROOT_SHAREABLE flag to be set. Non-subvolume trees, including quota trees, do not require relocation trees because they employ copy-on-write operations that do not involve shared tree blocks, making the creation of relocation trees for such objects both unnecessary and structurally invalid.
The operational impact of this vulnerability extends beyond simple system crashes to potentially enable data corruption and unauthorized access patterns within the btrfs file system. When corrupted on-disk data contains invalid relocation tree root keys, the assertion mechanism fails, leading to kernel panics and system instability. This vulnerability particularly affects systems running btrfs file systems where the kernel attempts to process malformed relocation tree structures, creating opportunities for denial-of-service conditions that can compromise the entire storage subsystem. The issue demonstrates how malformed data structures can trigger critical kernel assertions, potentially allowing attackers to craft specific inputs that could exploit this weakness to cause system instability or, in more severe scenarios, gain elevated privileges through carefully constructed file system metadata.
The fix implemented for this vulnerability addresses both the immediate assertion failure and enhances the broader validation framework within the btrfs subsystem. The solution involves not only correcting the specific handling of invalid relocation tree root keys but also implementing additional tree-checker validation to prevent such invalid configurations from being processed. This approach aligns with security best practices by implementing defense-in-depth measures that catch malformed data at multiple levels of the system. The fix ensures that relocation trees can only be created for subvolumes that properly support sharing tree blocks, thereby maintaining the architectural integrity of the btrfs file system. This vulnerability analysis demonstrates the importance of proper input validation in kernel space operations and highlights how seemingly small flaws in data structure validation can lead to critical system failures. The mitigation strategy emphasizes the need for comprehensive validation mechanisms that can detect and reject invalid data structures before they can trigger kernel-level assertions, thereby preventing both system crashes and potential security exploits. This case study exemplifies how the ATT&CK framework's concept of privilege escalation through kernel vulnerabilities can be prevented through proper validation of system-level data structures, aligning with CWE categories related to improper input validation and inadequate error handling in kernel components.