{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-21752","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-29T08:45:45.759Z","datePublished":"2025-02-27T02:12:22.741Z","dateUpdated":"2026-03-25T10:19:21.526Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-03-25T10:19:21.526Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents\n\nDon't use btrfs_set_item_key_safe() to modify the keys in the RAID\nstripe-tree, as this can lead to corruption of the tree, which is caught\nby the checks in btrfs_set_item_key_safe():\n\n BTRFS info (device nvme1n1): leaf 49168384 gen 15 total ptrs 194 free space 8329 owner 12\n BTRFS info (device nvme1n1): refs 2 lock_owner 1030 current 1030\n  [ snip ]\n  item 105 key (354549760 230 20480) itemoff 14587 itemsize 16\n                  stride 0 devid 5 physical 67502080\n  item 106 key (354631680 230 4096) itemoff 14571 itemsize 16\n                  stride 0 devid 1 physical 88559616\n  item 107 key (354631680 230 32768) itemoff 14555 itemsize 16\n                  stride 0 devid 1 physical 88555520\n  item 108 key (354717696 230 28672) itemoff 14539 itemsize 16\n                  stride 0 devid 2 physical 67604480\n  [ snip ]\n BTRFS critical (device nvme1n1): slot 106 key (354631680 230 32768) new key (354635776 230 4096)\n ------------[ cut here ]------------\n kernel BUG at fs/btrfs/ctree.c:2602!\n Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 UID: 0 PID: 1055 Comm: fsstress Not tainted 6.13.0-rc1+ #1464\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014\n RIP: 0010:btrfs_set_item_key_safe+0xf7/0x270\n Code: <snip>\n RSP: 0018:ffffc90001337ab0 EFLAGS: 00010287\n RAX: 0000000000000000 RBX: ffff8881115fd000 RCX: 0000000000000000\n RDX: 0000000000000001 RSI: 0000000000000001 RDI: 00000000ffffffff\n RBP: ffff888110ed6f50 R08: 00000000ffffefff R09: ffffffff8244c500\n R10: 00000000ffffefff R11: 00000000ffffffff R12: ffff888100586000\n R13: 00000000000000c9 R14: ffffc90001337b1f R15: ffff888110f23b58\n FS:  00007f7d75c72740(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007fa811652c60 CR3: 0000000111398001 CR4: 0000000000370eb0\n Call Trace:\n  <TASK>\n  ? __die_body.cold+0x14/0x1a\n  ? die+0x2e/0x50\n  ? do_trap+0xca/0x110\n  ? do_error_trap+0x65/0x80\n  ? btrfs_set_item_key_safe+0xf7/0x270\n  ? exc_invalid_op+0x50/0x70\n  ? btrfs_set_item_key_safe+0xf7/0x270\n  ? asm_exc_invalid_op+0x1a/0x20\n  ? btrfs_set_item_key_safe+0xf7/0x270\n  btrfs_partially_delete_raid_extent+0xc4/0xe0\n  btrfs_delete_raid_extent+0x227/0x240\n  __btrfs_free_extent.isra.0+0x57f/0x9c0\n  ? exc_coproc_segment_overrun+0x40/0x40\n  __btrfs_run_delayed_refs+0x2fa/0xe80\n  btrfs_run_delayed_refs+0x81/0xe0\n  btrfs_commit_transaction+0x2dd/0xbe0\n  ? preempt_count_add+0x52/0xb0\n  btrfs_sync_file+0x375/0x4c0\n  do_fsync+0x39/0x70\n  __x64_sys_fsync+0x13/0x20\n  do_syscall_64+0x54/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f7d7550ef90\n Code: <snip>\n RSP: 002b:00007ffd70237248 EFLAGS: 00000202 ORIG_RAX: 000000000000004a\n RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f7d7550ef90\n RDX: 000000000000013a RSI: 000000000040eb28 RDI: 0000000000000004\n RBP: 000000000000001b R08: 0000000000000078 R09: 00007ffd7023725c\n R10: 00007f7d75400390 R11: 0000000000000202 R12: 028f5c28f5c28f5c\n R13: 8f5c28f5c28f5c29 R14: 000000000040b520 R15: 00007f7d75c726c8\n  </TASK>\n\nWhile the root cause of the tree order corruption isn't clear, using\nbtrfs_duplicate_item() to copy the item and then adjusting both the key\nand the per-device physical addresses is a safe way to counter this\nproblem."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/raid-stripe-tree.c"],"versions":[{"version":"02c372e1f016e5113217597ab37b399c4e407477","lessThan":"1c25eff52ee5a02a2c4be659a44ae972d9989742","status":"affected","versionType":"git"},{"version":"02c372e1f016e5113217597ab37b399c4e407477","lessThan":"dc14ba10781bd2629835696b7cc1febf914768e9","status":"affected","versionType":"git"},{"version":"ab69bf6f8970c09d3735c25094e9471d54365282","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/raid-stripe-tree.c"],"versions":[{"version":"6.7","status":"affected"},{"version":"0","lessThan":"6.7","status":"unaffected","versionType":"semver"},{"version":"6.13.3","lessThanOrEqual":"6.13.*","status":"unaffected","versionType":"semver"},{"version":"6.14","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.13.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.14"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6.130"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/1c25eff52ee5a02a2c4be659a44ae972d9989742"},{"url":"https://git.kernel.org/stable/c/dc14ba10781bd2629835696b7cc1febf914768e9"}],"title":"btrfs: don't use btrfs_set_item_key_safe on RAID stripe-extents","x_generator":{"engine":"bippy-1.2.0"}}}}