CVE-2024-46733
📋 TL;DR
This CVE describes a qgroup reservation leak vulnerability in the Linux kernel's Btrfs filesystem. When buffered write operations fail before creating ordered extents, the system fails to properly free reserved qgroup space, leading to resource exhaustion and potential filesystem corruption. This affects Linux systems using Btrfs with qgroups enabled.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Filesystem corruption leading to data loss, system crashes during unmount, and potential denial of service requiring filesystem repair or restoration from backups.
Likely Case
Filesystem warnings during unmount, qgroup accounting errors, and potential system instability when performing I/O operations on Btrfs volumes with qgroups enabled.
If Mitigated
Minor performance impact from qgroup accounting errors, but no data loss or system instability if proper monitoring is in place.
🎯 Exploit Status
Exploitation requires triggering specific I/O error conditions in Btrfs write paths, making it difficult to weaponize. The vulnerability was discovered through fstest generic/475 testing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches via git commits: 159f0f61b283ea71e827dd0c18c5dce197de1fa2, 30479f31d44d47ed00ae0c7453d9b253537005b2, 84464db2ec2a55b9313d5f264da196a37ec80994, e42ef22bc10f0309c0c65d8d6ca8b4127a674b7f
Vendor Advisory: https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution. 2. For custom kernels, apply the relevant git commits. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable Btrfs qgroups
linuxDisable qgroup feature on Btrfs filesystems to prevent the vulnerability from being triggered
btrfs quota disable /mount/point
Use alternative filesystem
linuxMigrate data to ext4, xfs, or other filesystems not affected by this vulnerability
🧯 If You Can't Patch
- Monitor system logs for BTRFS warnings about qgroup reserved space leaks
- Implement regular filesystem checks and backups to mitigate potential data corruption
🔍 How to Verify
Check if Vulnerable:
Check if using Btrfs with qgroups enabled: 'btrfs quota show /mount/point' and verify kernel version is unpatchedCheck Version:
uname -rVerify Fix Applied:
Check kernel version includes the fix commits or run fstest generic/475 to verify no qgroup leaks occur📡 Detection & Monitoring
Log Indicators:
- BTRFS warning: qgroup has unreleased space
- BTRFS error: qgroup reserved space leaked
- WARNING at close_ctree in kernel logs
SIEM Query:
source="kernel" AND ("qgroup has unreleased space" OR "qgroup reserved space leaked")🔗 References
- https://git.kernel.org/stable/c/159f0f61b283ea71e827dd0c18c5dce197de1fa2
- https://git.kernel.org/stable/c/30479f31d44d47ed00ae0c7453d9b253537005b2
- https://git.kernel.org/stable/c/84464db2ec2a55b9313d5f264da196a37ec80994
- https://git.kernel.org/stable/c/e42ef22bc10f0309c0c65d8d6ca8b4127a674b7f
- https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html
