CVE-2025-21658

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6

Description A vulnerability in the Linux kernel has been resolved, which avoids a NULL pointer dereference if no valid extent tree is present. The issue was reported by Syzbot, which triggered a crash with a specific call trace. The problem occurs when the scrub find fill first stripe() function relies on a non-empty extent root, but unfortunately, it does not expect a NULL pointer for the extent root, leading to a NULL pointer dereference. The vulnerability is caused by a corrupted image where the extent tree root is corrupted, forcing the use of the "rescue=all,ro" mount option to mount the image.

Recommendations For Linux kernel versions prior to 6.6, the fix will need a manual backport. Add an extra check for a valid extent root at the beginning of scrub find fill first stripe(). As a temporary workaround, consider disabling the scrub find fill first stripe() function until a patch is available. Restrict access to the vulnerable btrfs module to minimize the risk of exploitation. Avoid using the rescue=all,ro mount option until the issue is resolved.