CVE-2023-54121: btrfs: fix incorrect splitting in btrfs_drop_extent_map_range
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix incorrect splitting in btrfs_drop_extent_map_range
In production we were seeing a variety of WARN_ON()'s in the extent_map
code, specifically in btrfs_drop_extent_map_range() when we have to call
add_extent_mapping() for our second split.
Consider the following extent map layout
PINNED
[0 16K) [32K, 48K)
and then we call btrfs_drop_extent_map_range for [0, 36K), with
skip_pinned == true. The initial loop will have
start = 0
end = 36K
len = 36K
we will find the [0, 16k) extent, but since we are pinned we will skip
it, which has this code
start = em_end;
if (end != (u64)-1)
len = start + len - em_end;
em_end here is 16K, so now the values are
start = 16K
len = 16K + 36K - 16K = 36K
len should instead be 20K. This is a problem when we find the next
extent at [32K, 48K), we need to split this extent to leave [36K, 48k),
however the code for the split looks like this
split->start = start + len;
split->len = em_end - (start + len);
In this case we have
em_end = 48K
split->start = 16K + 36K // this should be 16K + 20K
split->len = 48K - (16K + 36K) // this overflows as 16K + 36K is 52K
and now we have an invalid extent_map in the tree that potentially
overlaps other entries in the extent map. Even in the non-overlapping
case we will have split->start set improperly, which will cause problems
with any block related calculations.
We don't actually need len in this loop, we can simply use end as our
end point, and only adjust start up when we find a pinned extent we need
to skip.
Adjust the logic to do this, which keeps us from inserting an invalid
extent map.
We only skip_pinned in the relocation case, so this is relatively rare,
except in the case where you are running relocation a lot, which can
happen with auto relocation on.
Security readout for executives and security teams
Plain-English summary
CVE-2023-54121 is a Linux kernel Btrfs bug where rare relocation handling can corrupt internal extent-map bookkeeping. The public record describes warnings and invalid extent-map entries, not remote compromise or data theft. Business urgency is highest for systems that use Btrfs and run frequent relocation or auto-relocation.
Executive priority
Prioritize patching Btrfs-backed Linux servers during normal kernel maintenance, escalating for storage-heavy systems using relocation or auto-relocation. Current public evidence does not justify emergency remote-exploit response by itself.
Technical view
The flaw is in btrfs_drop_extent_map_range() when skip_pinned is true. Incorrect length handling after skipping a pinned extent can split a later extent at the wrong offset, potentially inserting an invalid or overlapping extent_map and breaking block-related calculations.
Likely exposure
Exposure appears limited to Linux systems using Btrfs, especially where relocation runs often. The source says skip_pinned is used only in the relocation case, making ordinary systems less likely to hit it.
Exploitation context
The provided sources do not report active exploitation, KEV listing, exploit availability, privilege requirements, or a practical attack path. Evidence supports a reliability and filesystem-integrity concern rather than confirmed weaponized exploitation.
Researcher notes
Focus validation on Btrfs relocation paths and kernels lacking the stable fixes. The source bundle lacks CVSS, CWE, exploitability detail, and distribution package mappings, so exposure decisions require local kernel and filesystem inventory.
Mitigation direction
Apply Linux kernel updates containing the referenced stable fixes.
Map your distribution kernel package to this CVE or the stable commits.
Review vendor guidance before relying on any workaround.
Avoid unnecessary frequent Btrfs relocation until patched, where operationally acceptable.
Validation and detection
Inventory systems running Linux with Btrfs filesystems.
Check kernel version and vendor backport status against CVE-2023-54121.
Look for referenced stable commits in kernel changelogs.
Review kernel logs for Btrfs extent_map WARN_ON messages.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-54121 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Dec 24, 2025, 13:06 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.