LiveActive security incident?Get immediate response
CVE Record

CVE-2023-54121: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range In production we were seeing a variety of WARN_ON()'s in the extent_map code, specifically in btrfs_drop_extent_map_range() when we have to call add_extent_mapping() for our second split. Consider the following extent map layout PINNED [0 16K) [32K, 48K) and then we call btrfs_drop_extent_map_range for [0, 36K), with skip_pinned == true. The initial loop will have start = 0 end = 36K len = 36K we will find the [0, 16k) extent, but since we are pinned we will skip it, which has this code start = em_end; if (end != (u64)-1) len = start + len - em_end; em_end here is 16K, so now the values are start = 16K len = 16K + 36K - 16K = 36K len should instead be 20K. This is a problem when we find the next extent at [32K, 48K), we need to split this extent to leave [36K, 48k), however the code for the split looks like this split->start = start + len; split->len = em_end - (start + len); In this case we have em_end = 48K split->start = 16K + 36K // this should be 16K + 20K split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K and now we have an invalid extent_map in the tree that potentially overlaps other entries in the extent map. Even in the non-overlapping case we will have split->start set improperly, which will cause problems with any block related calculations. We don't actually need len in this loop, we can simply use end as our end point, and only adjust start up when we find a pinned extent we need to skip. Adjust the logic to do this, which keeps us from inserting an invalid extent map. We only skip_pinned in the relocation case, so this is relatively rare, except in the case where you are running relocation a lot, which can happen with auto relocation on.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2023-54121 is a Linux kernel Btrfs bug where rare relocation handling can corrupt internal extent-map bookkeeping. The public record describes warnings and invalid extent-map entries, not remote compromise or data theft. Business urgency is highest for systems that use Btrfs and run frequent relocation or auto-relocation.

Executive priority

Prioritize patching Btrfs-backed Linux servers during normal kernel maintenance, escalating for storage-heavy systems using relocation or auto-relocation. Current public evidence does not justify emergency remote-exploit response by itself.

Technical view

The flaw is in btrfs_drop_extent_map_range() when skip_pinned is true. Incorrect length handling after skipping a pinned extent can split a later extent at the wrong offset, potentially inserting an invalid or overlapping extent_map and breaking block-related calculations.

Likely exposure

Exposure appears limited to Linux systems using Btrfs, especially where relocation runs often. The source says skip_pinned is used only in the relocation case, making ordinary systems less likely to hit it.

Exploitation context

The provided sources do not report active exploitation, KEV listing, exploit availability, privilege requirements, or a practical attack path. Evidence supports a reliability and filesystem-integrity concern rather than confirmed weaponized exploitation.

Researcher notes

Focus validation on Btrfs relocation paths and kernels lacking the stable fixes. The source bundle lacks CVSS, CWE, exploitability detail, and distribution package mappings, so exposure decisions require local kernel and filesystem inventory.

Mitigation direction

  • Apply Linux kernel updates containing the referenced stable fixes.
  • Map your distribution kernel package to this CVE or the stable commits.
  • Review vendor guidance before relying on any workaround.
  • Avoid unnecessary frequent Btrfs relocation until patched, where operationally acceptable.

Validation and detection

  • Inventory systems running Linux with Btrfs filesystems.
  • Check kernel version and vendor backport status against CVE-2023-54121.
  • Look for referenced stable commits in kernel changelogs.
  • Review kernel logs for Btrfs extent_map WARN_ON messages.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2023-54121 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
0ADP providers
4Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinux55ef68990029fcd8d04d42fc184aa7fb18cf309e, 55ef68990029fcd8d04d42fc184aa7fb18cf309e, 55ef68990029fcd8d04d42fc184aa7fb18cf309e, c87afd35a28b2661a2626a1b28e9fd69adcad9f9, 2.6.32.19unaffected
LinuxLinux2.6.33, 0, 6.1.47, 6.4.12, 6.5affected
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.