Linux Kernel up to 6.18.5/6.19-rc4 btrfs_get_or_create_delayed_node use after free

Summaryinfo

A vulnerability was found in Linux Kernel up to 6.18.5/6.19-rc4. It has been classified as critical. Affected by this issue is the function btrfs_get_or_create_delayed_node. Performing a manipulation results in use after free. This vulnerability is known as CVE-2025-71159. No exploit is available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability classified as critical has been found in Linux Kernel up to 6.18.5/6.19-rc4. This affects the function btrfs_get_or_create_delayed_node. The manipulation with an unknown input leads to a use after free vulnerability. CWE is classifying the issue as CWE-416. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section, which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC.

The advisory is shared at git.kernel.org. This vulnerability is uniquely identified as CVE-2025-71159 since 01/13/2026. The exploitability is told to be easy. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 05/17/2026).

The vulnerability scanner Nessus provides a plugin with the ID 296395 (Linux Distros Unpatched Vulnerability : CVE-2025-71159), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.18.6 or 6.19-rc5 eliminates this vulnerability. Applying the patch c8385851a5435f4006281828d428e5d0b0bbf8af/83f59076a1ae6f5c6845d6f7ed3a1a373d883684 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (296395) and CERT Bund (WID-SEC-2026-0215). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Affected

• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• IBM QRadar SIEM
• SUSE openSUSE
• RESF Rocky Linux
• NetApp ActiveIQ Unified Manager
• Open Source Linux Kernel

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.18.0
• 6.18.1
• 6.18.2
• 6.18.3
• 6.18.4
• 6.18.5
• 6.19-rc1
• 6.19-rc2
• 6.19-rc3
• 6.19-rc4

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion