CVE-2025-71159
Published: 23 January 2026
Summary
CVE-2025-71159 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2025-71159 is a use-after-free vulnerability in the Linux kernel's BTRFS filesystem, specifically within the btrfs_get_or_create_delayed_node() function. The issue stems from a refcounting bug introduced by commit e8513c012de7, which relocated the refcount_set operation inside the root->delayed_nodes lock critical section. This removed a necessary memory barrier, allowing stores to node->refs and btrfs_inode->delayed_node to become visible out of order to other threads. As a result, another thread could read the delayed_node pointer and attempt to increment an uninitialized refcount, triggering the use-after-free (CWE-416). The vulnerability carries a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), in a local attack vector (AV:L) with unchanged scope (S:U). Successful exploitation could grant high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution, data corruption, or system crashes via the use-after-free condition in multi-threaded BTRFS operations.
Mitigation is provided through kernel patches available in the referenced commits: https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684 and https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af. These fixes restore the refcount_set operation outside the critical section to leverage the lock's implicit memory barrier, preventing the out-of-order visibility issue. Additionally, since allocations now occur outside the lock, they can safely use GFP_NOFS instead of GFP_ATOMIC. Security practitioners should apply these stable kernel updates to affected systems running BTRFS.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4311
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 ("btrfs: implement ref_tracker for delayed_nodes") moved refcount_set inside the critical section,…
more
which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn't been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock's critical section, they can use GFP_NOFS instead of GFP_ATOMIC.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF in BTRFS enables direct exploitation for privilege escalation to root via arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the BTRFS use-after-free vulnerability through application of the available kernel patches that restore the necessary memory barrier.
Facilitates identification of the CVE-2025-71159 vulnerability in kernel versions via vulnerability scanning, enabling prompt patching.
Implements memory safeguards like ASLR and DEP to mitigate exploitation of the refcounting-induced use-after-free in multi-threaded BTRFS operations.