CVE-2025-38034 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref
btrfs_prelim_ref() calls the old and new reference variables in the incorrect order. This causes a NULL pointer dereference because oldref is passed as NULL to trace_btrfs_prelim_ref_insert().
Note, trace_btrfs_prelim_ref_insert() is being called with newref as oldref (and oldref as NULL) on purpose in order to print out the values of newref.
To reproduce: echo 1 > /sys/kernel/debug/tracing/events/btrfs/btrfs_prelim_ref_insert/enable
Perform some writeback operations.
Backtrace: BUG: kernel NULL pointer dereference, address: 0000000000000018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 115949067 P4D 115949067 PUD 11594a067 PMD 0 Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 1 UID: 0 PID: 1188 Comm: fsstress Not tainted 6.15.0-rc2-tester+ #47 PREEMPT(voluntary) 7ca2cef72d5e9c600f0c7718adb6462de8149622 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-2-gc13ff2cd-prebuilt.qemu.org 04/01/2014 RIP: 0010:trace_event_raw_event_btrfs__prelim_ref+0x72/0x130 Code: e8 43 81 9f ff 48 85 c0 74 78 4d 85 e4 0f 84 8f 00 00 00 49 8b 94 24 c0 06 00 00 48 8b 0a 48 89 48 08 48 8b 52 08 48 89 50 10 <49> 8b 55 18 48 89 50 18 49 8b 55 20 48 89 50 20 41 0f b6 55 28 88 RSP: 0018:ffffce44820077a0 EFLAGS: 00010286 RAX: ffff8c6b403f9014 RBX: ffff8c6b55825730 RCX: 304994edf9cf506b RDX: d8b11eb7f0fdb699 RSI: ffff8c6b403f9010 RDI: ffff8c6b403f9010 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000010 R10: 00000000ffffffff R11: 0000000000000000 R12: ffff8c6b4e8fb000 R13: 0000000000000000 R14: ffffce44820077a8 R15: ffff8c6b4abd1540 FS: 00007f4dc6813740(0000) GS:ffff8c6c1d378000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000018 CR3: 000000010eb42000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> prelim_ref_insert+0x1c1/0x270 find_parent_nodes+0x12a6/0x1ee0 ? __entry_text_end+0x101f06/0x101f09 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 ? srso_alias_return_thunk+0x5/0xfbef5 btrfs_is_data_extent_shared+0x167/0x640 ? fiemap_process_hole+0xd0/0x2c0 extent_fiemap+0xa5c/0xbc0 ? __entry_text_end+0x101f05/0x101f09 btrfs_fiemap+0x7e/0xd0 do_vfs_ioctl+0x425/0x9d0 __x64_sys_ioctl+0x75/0xc0
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/02/2026
The vulnerability identified as CVE-2025-38034 affects the Linux kernel's btrfs file system implementation and stems from an incorrect argument order in the btrfs_prelim_ref function call. This flaw specifically impacts the trace_btrfs_prelim_ref_insert() function which receives parameters in the wrong sequence, leading to a NULL pointer dereference when the oldref variable is passed as NULL instead of the expected newref value. The issue manifests during writeback operations when tracing is enabled, creating a kernel oops condition that can potentially lead to system instability or denial of service.
The technical root cause of this vulnerability lies in the improper parameter handling within the btrfs subsystem's preliminary reference management code. According to CWE-457, this represents a use of uninitialized variable or incorrect parameter passing that results in undefined behavior. The flaw is classified under the broader category of improper argument ordering in function calls, which can lead to critical system failures when the kernel attempts to process trace events for btrfs operations. The kernel's tracing infrastructure expects specific parameter ordering to properly log and analyze file system operations, and this misordering causes the trace event handler to access invalid memory locations.
The operational impact of this vulnerability extends beyond simple system crashes, as it affects the reliability of btrfs file system operations and can compromise system stability during normal workload execution. When tracing is enabled through the debug interface, the kernel's ability to properly log btrfs operations becomes compromised, potentially leading to incomplete diagnostic information and system lockups. This vulnerability particularly impacts systems running recent kernel versions where btrfs is actively used, and could be exploited by malicious actors to cause denial of service conditions or potentially gain unauthorized access to system resources through carefully crafted file system operations. The issue affects both read and write operations within the btrfs file system, making it a significant concern for systems relying on this storage implementation.
Mitigation strategies for CVE-2025-38034 should focus on both immediate patch application and operational monitoring. System administrators should prioritize applying the kernel patch that corrects the argument order in the btrfs_prelim_ref function call, which directly addresses the root cause of the NULL pointer dereference. Additionally, monitoring systems should be configured to detect unusual kernel oops conditions or trace event failures related to btrfs operations, particularly when writeback activities are occurring. The ATT&CK framework's T1489 technique for hiding artifacts through kernel manipulation suggests that this vulnerability could be exploited to create stealthy system disruptions, making proactive monitoring crucial. Organizations should also consider disabling btrfs tracing features when not actively debugging, as this reduces the attack surface and prevents the specific conditions that trigger the vulnerability. System hardening measures including kernel lockdown configurations and proper access controls for debug interfaces can further reduce the risk of exploitation.