{"api_version":"1","generated_at":"2026-05-13T05:56:12+00:00","cve":"CVE-2025-21753","urls":{"html":"https://cve.report/CVE-2025-21753","api":"https://cve.report/api/cve/CVE-2025-21753.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2025-21753","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2025-21753"},"summary":{"title":"btrfs: fix use-after-free when attempting to join an aborted transaction","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when attempting to join an aborted transaction\n\nWhen we are trying to join the current transaction and if it's aborted,\nwe read its 'aborted' field after unlocking fs_info->trans_lock and\nwithout holding any extra reference count on it. This means that a\nconcurrent task that is aborting the transaction may free the transaction\nbefore we read its 'aborted' field, leading to a use-after-free.\n\nFix this by reading the 'aborted' field while holding fs_info->trans_lock\nsince any freeing task must first acquire that lock and set\nfs_info->running_transaction to NULL before freeing the transaction.\n\nThis was reported by syzbot and Dmitry with the following stack traces\nfrom KASAN:\n\n   ==================================================================\n   BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n   Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\n\n   CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n   Workqueue: events_unbound btrfs_async_reclaim_data_space\n   Call Trace:\n    <TASK>\n    __dump_stack lib/dump_stack.c:94 [inline]\n    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n    print_address_description mm/kasan/report.c:378 [inline]\n    print_report+0x169/0x550 mm/kasan/report.c:489\n    kasan_report+0x143/0x180 mm/kasan/report.c:602\n    join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\n    btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\n    process_one_work kernel/workqueue.c:3236 [inline]\n    process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n    worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n    kthread+0x2f0/0x390 kernel/kthread.c:389\n    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n    </TASK>\n\n   Allocated by task 5315:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n    kasan_kmalloc include/linux/kasan.h:260 [inline]\n    __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\n    kmalloc_noprof include/linux/slab.h:901 [inline]\n    join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\n    lookup_open fs/namei.c:3649 [inline]\n    open_last_lookups fs/namei.c:3748 [inline]\n    path_openat+0x1c03/0x3590 fs/namei.c:3984\n    do_filp_open+0x27f/0x4e0 fs/namei.c:4014\n    do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\n    do_sys_open fs/open.c:1417 [inline]\n    __do_sys_creat fs/open.c:1495 [inline]\n    __se_sys_creat fs/open.c:1489 [inline]\n    __x64_sys_creat+0x123/0x170 fs/open.c:1489\n    do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n   Freed by task 5336:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n    poison_slab_object mm/kasan/common.c:247 [inline]\n    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n    kasan_slab_free include/linux/kasan.h:233 [inline]\n    slab_free_hook mm/slub.c:2353 [inline]\n    slab_free mm/slub.c:4613 [inline]\n    kfree+0x196/0x430 mm/slub.c:4761\n    cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\n    btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\n    insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\n    btrfs_balance+0x992/\n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2025-02-27 03:15:15","updated_at":"2026-05-12 13:16:34"},"problem_types":["CWE-416","CWE-416 CWE-416 Use After Free"],"metrics":[{"version":"3.1","source":"ADP","type":"DECLARED","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}}],"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","name":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec","name":"https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec","name":"https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63","name":"https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc","name":"https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca","name":"https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","name":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html","refsource":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01","name":"https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753","name":"https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html","name":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7","name":"https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2025-21753","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-21753","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 871383be592ba7e819d27556591e315a0df38cee cee55b1219568c80bf0d5dc55066e4a859baf753 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 871383be592ba7e819d27556591e315a0df38cee c7a53757717e68af94a56929d57f1e6daff220ec git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 871383be592ba7e819d27556591e315a0df38cee 7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 871383be592ba7e819d27556591e315a0df38cee 6ba4663ada6c6315af23a6669d386146634808ec git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 871383be592ba7e819d27556591e315a0df38cee 8f5cff471039caa2b088060c074c2bf2081bcb01 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 871383be592ba7e819d27556591e315a0df38cee 86d71a026a7f63da905db9add845c8ee88801eca git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 871383be592ba7e819d27556591e315a0df38cee ce628048390dad80320d5a1f74de6ca1e1be91e7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 871383be592ba7e819d27556591e315a0df38cee e2f0943cf37305dbdeaf9846e3c941451bcdef63 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.4","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.4 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.4.291 5.4.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.235 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.179 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.129 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.78 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.14 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.13.3 6.13.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.14 * original_commit_for_fix","platforms":[]},{"source":"ADP","vendor":"Siemens","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","version":"affected * custom","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2025","cve_id":"21753","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2025-21753","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-02-27T18:14:22.911957Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-416","description":"CWE-416 Use After Free","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-02-27T18:22:29.598Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-03T19:36:58.333Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"}],"title":"CVE Program Container"},{"affected":[{"defaultStatus":"unknown","product":"SIMATIC S7-1500 TM MFP - GNU/Linux subsystem","vendor":"Siemens","versions":[{"lessThan":"*","status":"affected","version":"0","versionType":"custom"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T12:03:36.932Z","orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP"},"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-265688.html"}],"x_adpType":"supplier"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["fs/btrfs/transaction.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"cee55b1219568c80bf0d5dc55066e4a859baf753","status":"affected","version":"871383be592ba7e819d27556591e315a0df38cee","versionType":"git"},{"lessThan":"c7a53757717e68af94a56929d57f1e6daff220ec","status":"affected","version":"871383be592ba7e819d27556591e315a0df38cee","versionType":"git"},{"lessThan":"7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc","status":"affected","version":"871383be592ba7e819d27556591e315a0df38cee","versionType":"git"},{"lessThan":"6ba4663ada6c6315af23a6669d386146634808ec","status":"affected","version":"871383be592ba7e819d27556591e315a0df38cee","versionType":"git"},{"lessThan":"8f5cff471039caa2b088060c074c2bf2081bcb01","status":"affected","version":"871383be592ba7e819d27556591e315a0df38cee","versionType":"git"},{"lessThan":"86d71a026a7f63da905db9add845c8ee88801eca","status":"affected","version":"871383be592ba7e819d27556591e315a0df38cee","versionType":"git"},{"lessThan":"ce628048390dad80320d5a1f74de6ca1e1be91e7","status":"affected","version":"871383be592ba7e819d27556591e315a0df38cee","versionType":"git"},{"lessThan":"e2f0943cf37305dbdeaf9846e3c941451bcdef63","status":"affected","version":"871383be592ba7e819d27556591e315a0df38cee","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["fs/btrfs/transaction.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.4"},{"lessThan":"3.4","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.4.*","status":"unaffected","version":"5.4.291","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.235","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.179","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.129","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.78","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.14","versionType":"semver"},{"lessThanOrEqual":"6.13.*","status":"unaffected","version":"6.13.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.14","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.291","versionStartIncluding":"3.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.235","versionStartIncluding":"3.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.179","versionStartIncluding":"3.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.129","versionStartIncluding":"3.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.78","versionStartIncluding":"3.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.14","versionStartIncluding":"3.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.13.3","versionStartIncluding":"3.4","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.14","versionStartIncluding":"3.4","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when attempting to join an aborted transaction\n\nWhen we are trying to join the current transaction and if it's aborted,\nwe read its 'aborted' field after unlocking fs_info->trans_lock and\nwithout holding any extra reference count on it. This means that a\nconcurrent task that is aborting the transaction may free the transaction\nbefore we read its 'aborted' field, leading to a use-after-free.\n\nFix this by reading the 'aborted' field while holding fs_info->trans_lock\nsince any freeing task must first acquire that lock and set\nfs_info->running_transaction to NULL before freeing the transaction.\n\nThis was reported by syzbot and Dmitry with the following stack traces\nfrom KASAN:\n\n   ==================================================================\n   BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n   Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\n\n   CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n   Workqueue: events_unbound btrfs_async_reclaim_data_space\n   Call Trace:\n    <TASK>\n    __dump_stack lib/dump_stack.c:94 [inline]\n    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n    print_address_description mm/kasan/report.c:378 [inline]\n    print_report+0x169/0x550 mm/kasan/report.c:489\n    kasan_report+0x143/0x180 mm/kasan/report.c:602\n    join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\n    btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\n    process_one_work kernel/workqueue.c:3236 [inline]\n    process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n    worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n    kthread+0x2f0/0x390 kernel/kthread.c:389\n    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n    </TASK>\n\n   Allocated by task 5315:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n    kasan_kmalloc include/linux/kasan.h:260 [inline]\n    __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\n    kmalloc_noprof include/linux/slab.h:901 [inline]\n    join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\n    lookup_open fs/namei.c:3649 [inline]\n    open_last_lookups fs/namei.c:3748 [inline]\n    path_openat+0x1c03/0x3590 fs/namei.c:3984\n    do_filp_open+0x27f/0x4e0 fs/namei.c:4014\n    do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\n    do_sys_open fs/open.c:1417 [inline]\n    __do_sys_creat fs/open.c:1495 [inline]\n    __se_sys_creat fs/open.c:1489 [inline]\n    __x64_sys_creat+0x123/0x170 fs/open.c:1489\n    do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n   Freed by task 5336:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n    poison_slab_object mm/kasan/common.c:247 [inline]\n    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n    kasan_slab_free include/linux/kasan.h:233 [inline]\n    slab_free_hook mm/slub.c:2353 [inline]\n    slab_free mm/slub.c:4613 [inline]\n    kfree+0x196/0x430 mm/slub.c:4761\n    cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\n    btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\n    insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\n    btrfs_balance+0x992/\n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-05-11T21:05:45.922Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/cee55b1219568c80bf0d5dc55066e4a859baf753"},{"url":"https://git.kernel.org/stable/c/c7a53757717e68af94a56929d57f1e6daff220ec"},{"url":"https://git.kernel.org/stable/c/7e954b6bb95d67ae4d1a20e9cfd83c182cf929bc"},{"url":"https://git.kernel.org/stable/c/6ba4663ada6c6315af23a6669d386146634808ec"},{"url":"https://git.kernel.org/stable/c/8f5cff471039caa2b088060c074c2bf2081bcb01"},{"url":"https://git.kernel.org/stable/c/86d71a026a7f63da905db9add845c8ee88801eca"},{"url":"https://git.kernel.org/stable/c/ce628048390dad80320d5a1f74de6ca1e1be91e7"},{"url":"https://git.kernel.org/stable/c/e2f0943cf37305dbdeaf9846e3c941451bcdef63"}],"title":"btrfs: fix use-after-free when attempting to join an aborted transaction","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2025-21753","datePublished":"2025-02-27T02:12:23.235Z","dateReserved":"2024-12-29T08:45:45.760Z","dateUpdated":"2026-05-12T12:03:36.932Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2025-02-27 03:15:15","lastModifiedDate":"2026-05-12 13:16:34","problem_types":["CWE-416","CWE-416 CWE-416 Use After Free"],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.4","versionEndExcluding":"5.4.291","matchCriteriaId":"72F7F814-6E30-44F2-9C56-A6E51C818560"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.5","versionEndExcluding":"5.10.235","matchCriteriaId":"545121FA-DE31-4154-9446-C2000FB4104D"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.179","matchCriteriaId":"C708062C-4E1B-465F-AE6D-C09C46400875"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.129","matchCriteriaId":"2DA5009C-C9B9-4A1D-9B96-78427E8F232C"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.78","matchCriteriaId":"0C58261F-EDFB-4A12-8CCD-F12101482030"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.14","matchCriteriaId":"033BB7EE-C9A2-45EA-BAC9-87BB9D951BCD"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.13.3","matchCriteriaId":"0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.14:rc1:*:*:*:*:*:*","matchCriteriaId":"186716B6-2B66-4BD0-852E-D48E71C0C85F"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2025","CveId":"21753","Ordinal":"1","Title":"btrfs: fix use-after-free when attempting to join an aborted tra","CVE":"CVE-2025-21753","Year":"2025"},"notes":[{"CveYear":"2025","CveId":"21753","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free when attempting to join an aborted transaction\n\nWhen we are trying to join the current transaction and if it's aborted,\nwe read its 'aborted' field after unlocking fs_info->trans_lock and\nwithout holding any extra reference count on it. This means that a\nconcurrent task that is aborting the transaction may free the transaction\nbefore we read its 'aborted' field, leading to a use-after-free.\n\nFix this by reading the 'aborted' field while holding fs_info->trans_lock\nsince any freeing task must first acquire that lock and set\nfs_info->running_transaction to NULL before freeing the transaction.\n\nThis was reported by syzbot and Dmitry with the following stack traces\nfrom KASAN:\n\n   ==================================================================\n   BUG: KASAN: slab-use-after-free in join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n   Read of size 4 at addr ffff888011839024 by task kworker/u4:9/1128\n\n   CPU: 0 UID: 0 PID: 1128 Comm: kworker/u4:9 Not tainted 6.13.0-rc7-syzkaller-00019-gc45323b7560e #0\n   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\n   Workqueue: events_unbound btrfs_async_reclaim_data_space\n   Call Trace:\n    <TASK>\n    __dump_stack lib/dump_stack.c:94 [inline]\n    dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n    print_address_description mm/kasan/report.c:378 [inline]\n    print_report+0x169/0x550 mm/kasan/report.c:489\n    kasan_report+0x143/0x180 mm/kasan/report.c:602\n    join_transaction+0xd9b/0xda0 fs/btrfs/transaction.c:278\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    flush_space+0x448/0xcf0 fs/btrfs/space-info.c:803\n    btrfs_async_reclaim_data_space+0x159/0x510 fs/btrfs/space-info.c:1321\n    process_one_work kernel/workqueue.c:3236 [inline]\n    process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317\n    worker_thread+0x870/0xd30 kernel/workqueue.c:3398\n    kthread+0x2f0/0x390 kernel/kthread.c:389\n    ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n    </TASK>\n\n   Allocated by task 5315:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n    __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n    kasan_kmalloc include/linux/kasan.h:260 [inline]\n    __kmalloc_cache_noprof+0x243/0x390 mm/slub.c:4329\n    kmalloc_noprof include/linux/slab.h:901 [inline]\n    join_transaction+0x144/0xda0 fs/btrfs/transaction.c:308\n    start_transaction+0xaf8/0x1670 fs/btrfs/transaction.c:697\n    btrfs_create_common+0x1b2/0x2e0 fs/btrfs/inode.c:6572\n    lookup_open fs/namei.c:3649 [inline]\n    open_last_lookups fs/namei.c:3748 [inline]\n    path_openat+0x1c03/0x3590 fs/namei.c:3984\n    do_filp_open+0x27f/0x4e0 fs/namei.c:4014\n    do_sys_openat2+0x13e/0x1d0 fs/open.c:1402\n    do_sys_open fs/open.c:1417 [inline]\n    __do_sys_creat fs/open.c:1495 [inline]\n    __se_sys_creat fs/open.c:1489 [inline]\n    __x64_sys_creat+0x123/0x170 fs/open.c:1489\n    do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n    do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n    entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n   Freed by task 5336:\n    kasan_save_stack mm/kasan/common.c:47 [inline]\n    kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n    kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582\n    poison_slab_object mm/kasan/common.c:247 [inline]\n    __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264\n    kasan_slab_free include/linux/kasan.h:233 [inline]\n    slab_free_hook mm/slub.c:2353 [inline]\n    slab_free mm/slub.c:4613 [inline]\n    kfree+0x196/0x430 mm/slub.c:4761\n    cleanup_transaction fs/btrfs/transaction.c:2063 [inline]\n    btrfs_commit_transaction+0x2c97/0x3720 fs/btrfs/transaction.c:2598\n    insert_balance_item+0x1284/0x20b0 fs/btrfs/volumes.c:3757\n    btrfs_balance+0x992/\n---truncated---","Type":"Description","Title":"btrfs: fix use-after-free when attempting to join an aborted tra"}]}}}