{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-39759","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-04-16T07:20:57.126Z","datePublished":"2025-09-11T16:52:28.314Z","dateUpdated":"2026-05-12T12:06:49.038Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T21:35:42.611Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: qgroup: fix race between quota disable and quota rescan ioctl\n\nThere's a race between a task disabling quotas and another running the\nrescan ioctl that can result in a use-after-free of qgroup records from\nthe fs_info->qgroup_tree rbtree.\n\nThis happens as follows:\n\n1) Task A enters btrfs_ioctl_quota_rescan() -> btrfs_qgroup_rescan();\n\n2) Task B enters btrfs_quota_disable() and calls\n   btrfs_qgroup_wait_for_completion(), which does nothing because at that\n   point fs_info->qgroup_rescan_running is false (it wasn't set yet by\n   task A);\n\n3) Task B calls btrfs_free_qgroup_config() which starts freeing qgroups\n   from fs_info->qgroup_tree without taking the lock fs_info->qgroup_lock;\n\n4) Task A enters qgroup_rescan_zero_tracking() which starts iterating\n   the fs_info->qgroup_tree tree while holding fs_info->qgroup_lock,\n   but task B is freeing qgroup records from that tree without holding\n   the lock, resulting in a use-after-free.\n\nFix this by taking fs_info->qgroup_lock at btrfs_free_qgroup_config().\nAlso at btrfs_qgroup_rescan() don't start the rescan worker if quotas\nwere already disabled."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/qgroup.c"],"versions":[{"version":"e685da14af6b31e4b336a110cb1bae1afc268be8","lessThan":"7cda0fdde5d9890976861421d207870500f9aace","status":"affected","versionType":"git"},{"version":"e685da14af6b31e4b336a110cb1bae1afc268be8","lessThan":"b172535ccba12f0cf7d23b3b840989de47fc104d","status":"affected","versionType":"git"},{"version":"e685da14af6b31e4b336a110cb1bae1afc268be8","lessThan":"dd0b28d877b293b1d7f8727a7de08ae36b6b9ef0","status":"affected","versionType":"git"},{"version":"e685da14af6b31e4b336a110cb1bae1afc268be8","lessThan":"c38028ce0d0045ca600b6a8345a0ff92bfb47b66","status":"affected","versionType":"git"},{"version":"e685da14af6b31e4b336a110cb1bae1afc268be8","lessThan":"2fd0f5ceb997f90f4332ccbab6c7e907e6b2d0eb","status":"affected","versionType":"git"},{"version":"e685da14af6b31e4b336a110cb1bae1afc268be8","lessThan":"e1249667750399a48cafcf5945761d39fa584edf","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["fs/btrfs/qgroup.c"],"versions":[{"version":"3.12","status":"affected"},{"version":"0","lessThan":"3.12","status":"unaffected","versionType":"semver"},{"version":"6.1.149","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.103","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.44","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.15.11","lessThanOrEqual":"6.15.*","status":"unaffected","versionType":"semver"},{"version":"6.16.2","lessThanOrEqual":"6.16.*","status":"unaffected","versionType":"semver"},{"version":"6.17","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12","versionEndExcluding":"6.1.149"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12","versionEndExcluding":"6.6.103"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12","versionEndExcluding":"6.12.44"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12","versionEndExcluding":"6.15.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12","versionEndExcluding":"6.16.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.12","versionEndExcluding":"6.17"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7cda0fdde5d9890976861421d207870500f9aace"},{"url":"https://git.kernel.org/stable/c/b172535ccba12f0cf7d23b3b840989de47fc104d"},{"url":"https://git.kernel.org/stable/c/dd0b28d877b293b1d7f8727a7de08ae36b6b9ef0"},{"url":"https://git.kernel.org/stable/c/c38028ce0d0045ca600b6a8345a0ff92bfb47b66"},{"url":"https://git.kernel.org/stable/c/2fd0f5ceb997f90f4332ccbab6c7e907e6b2d0eb"},{"url":"https://git.kernel.org/stable/c/e1249667750399a48cafcf5945761d39fa584edf"}],"title":"btrfs: qgroup: fix race between quota disable and quota rescan ioctl","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T17:43:07.988Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-05-12T12:06:49.038Z"},"affected":[{"vendor":"Siemens","product":"SIMATIC CN 4100","versions":[{"status":"affected","version":"0","lessThan":"V5.0","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-032379.html"}]}]}}