Medium

Race condition in Linux kernel Btrfs block_group::bg_list handling

IdentifiersCVE-2025-37856CWE-362

CVE-2025-37856 is a race condition in the Linux kernel Btrfs filesystem code involving block_group::bg_list manipulation. The issue arises from unsynchronized list_del_init() operations on bg_list that can race with btrfs_mark_bg_unused() and related bg_list users. The described interleaving allows one thread to remove a block group from the list while another thread still observes the list entry as present and moves or deletes it again. This corrupts the associated block-group reference counting lifecycle: the refcount can reach zero one dereference too early, and the true final dereference then underflows the refcount, producing a kernel WARNING. The fix hardens bg_list handling against these list_del() races in the Btrfs block group management path.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of the flaw can corrupt Btrfs block-group reference counts in kernel memory management paths, causing premature object release semantics followed by refcount underflow and kernel WARNING conditions. Based on the available vendor context, the practical security impact is primarily local denial of service or stability degradation/high-availability impact on affected systems. The provided content does not establish reliable evidence of controlled code execution or privilege escalation from this bug alone.

Mitigation

If you can’t patch tonight, do this now.

No specific workaround is provided in the supplied advisory content beyond applying the fixed kernel update. If immediate patching is not possible, reduce exposure by limiting untrusted local access to affected systems and minimizing use of vulnerable Btrfs-backed workloads where operationally feasible until the kernel can be updated and the host rebooted.

Remediation

Patch, then assume compromise.

Apply vendor-supplied kernel updates that include the Btrfs fix for CVE-2025-37856. The provided SUSE advisory data indicates fixed package versions include, depending on product line, kernel-default 6.4.0-32.1 for SUSE Linux Micro 6.0/6.1, 6.4.0-150600.23.65.1 for many SLES/SLED 15 SP6 products, 6.4.0-150700.53.11.1 for many 15 SP7 products, 6.12.0-160000.6.1 for SLES 16.0/openSUSE Leap 16.0, and 4.12.14-122.269.1 for SLES 12 SP5 LTSS variants, along with corresponding related kernel subpackages. Reboot after installing the updated kernel.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

LinuxLinux Kerneloperating_system

SuseLinux Enterprise Server 15 Sp6 Azure Kerneloperating_system

SuseLinux Kerneloperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

18 SOURCESView more in app

bugzilla suseNews

Jun 25, 2026

1247483 - VUL-0: Intel CPU: VMScape issue

Listed as one of 573 vulnerabilities addressed by SUSE-SU-2026:20560-1 for kernel packages in SUSE Linux Micro Extras 6.2.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-37856

NVD

nvd.nist.gov/vuln/detail/CVE-2025-37856

MITRE CWE · CWE-362

cwe.mitre.org

Patch

git.kernel.org/stable/c/185fd73e5ac06027c4be9a129e59193f6a3ef202

Patch

git.kernel.org/stable/c/7511e29cf1355b2c47d0effb39e463119913e2f6

Patch

git.kernel.org/stable/c/909e60fb469d4101c6b08cf6e622efb062bb24a1

Patch

git.kernel.org/stable/c/bf089c4d1141b27332c092b1dcca5022c415a3b6