CVE-2025-40101 | btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leaks when rejecting a non SINGLE data profile without an RST At the end of btrfs_load_block_group_zone_info() the first thing we do is to ensure that if the mapping type is not a SINGLE one and there is no RAID stripe tree, then we return early with an error. Doing that, though, prevents the code from running the last calls from this function which are about freeing memory allocated during its run. Hence, in this case, instead of returning early, we set the ret value and fall through the rest of the cleanup code.

Published: 2025-10-30 Last update: 2026-04-15 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Deferred，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2025-40101 is rated Low Risk (2.8/100): low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-40101

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-10-30	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-40101

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2025-40101

OS Trackers for CVE-2025-40101

vendor	priority	summary	link
`debian`	unimportant	CVE-2025-40101 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2025-40101
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2025-40101
`suse`	low	CVE-2025-40101 severity low: SUSE including 116 source package names (2.2.0-4.35:NetworkManager-1.42.6-slfo.1.1_2.1, 2.2.0-4.35:libnm0-1.42.6-slfo.1.1_2.1, …), 648 product×package rows across 134 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (134 product lines)): Fixed 326, Known Not Affected 301, First Fixed 21.	https://www.suse.com/security/cve/CVE-2025-40101/
`ubuntu`	medium	CVE-2025-40101 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1405 status rows across 9 suites (bionic, focal, jammy, noble, plucky, questing, trusty, upstream, xenial): DNE 1010, ignored 177, released 127, not-affected 82, needed 7, pending 2.	https://ubuntu.com/security/CVE-2025-40101

Affected software / configurations for CVE-2025-40101

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2025-40101

URL	Tags
https://git.kernel.org/stable/c/187333e6d484c6630286bfdd07c79d6815a63887
https://git.kernel.org/stable/c/602701d00439e113331ee9c1283e95afdcb8849d
https://git.kernel.org/stable/c/fec9b9d3ced39f16be8d7afdf81f4dd2653da319

cvelogic Threat Intelligence