Cyber Resilience

CVE-2025-71159

High

Published: 23 January 2026

Published
23 January 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-71159 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2025-71159 is a use-after-free vulnerability in the Linux kernel's BTRFS filesystem, specifically within the btrfs_get_or_create_delayed_node() function. The issue stems from a refcounting bug introduced by commit e8513c012de7, which relocated the refcount_set operation inside the root->delayed_nodes lock critical section. This removed a necessary memory barrier, allowing stores to node->refs and btrfs_inode->delayed_node to become visible out of order to other threads. As a result, another thread could read the delayed_node pointer and attempt to increment an uninitialized refcount, triggering the use-after-free (CWE-416). The vulnerability carries a CVSS v3.1 base score of 7.8.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), in a local attack vector (AV:L) with unchanged scope (S:U). Successful exploitation could grant high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes via the use-after-free condition in multi-threaded BTRFS operations.

Mitigation is provided through kernel patches available in the referenced commits: https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684 and https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af. These fixes restore the refcount_set operation outside the critical section to leverage the lock's implicit memory barrier, preventing the out-of-order visibility issue. Additionally, since allocations now occur outside the lock, they can safely use GFP_NOFS instead of GFP_ATOMIC. Security practitioners should apply these stable kernel updates to affected systems running BTRFS.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section,…

more

which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF in BTRFS enables direct exploitation for privilege escalation to root via arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.19 · 6.18 — 6.18.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the BTRFS use-after-free vulnerability through application of the available kernel patches that restore the necessary memory barrier.

detect

Facilitates identification of the CVE-2025-71159 vulnerability in kernel versions via vulnerability scanning, enabling prompt patching.

prevent

Implements memory safeguards like ASLR and DEP to mitigate exploitation of the refcounting-induced use-after-free in multi-threaded BTRFS operations.

References