Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix NULL pointer dereference in do_abort_log_replay()

Coverity reported a NULL pointer dereference issue (CID 1666756) in
do_abort_log_replay(). When btrfs_alloc_path() fails in
replay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay()
calls do_abort_log_replay() which unconditionally dereferences
wc->subvol_path when attempting to print debug information. Fix this by
adding a NULL check before dereferencing wc->subvol_path in
do_abort_log_replay().
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel crash)
Action: Patch
AI Analysis

Impact

The vulnerability is a NULL pointer dereference in the Btrfs file system’s log replay routine. During recovery from a corrupted or incomplete log, the code attempts to print debugging information and unconditionally dereferences a pointer that may be NULL, which can cause a kernel panic and lead to a system-wide denial of service. This weakness is a classic pointer validation failure and does not grant code execution or privilege escalation, but a crash can disrupt any user with kernel access.

Affected Systems

All Linux kernel versions that include the Btrfs file system and have not yet incorporated the fix that guards the dereference in do_abort_log_replay() are affected. The CNA does not supply specific version ranges, so the impact covers any Linux kernel release before the one that includes the patch. Users running unpatched kernels that rely on Btrfs should verify whether they are running the vulnerable code path.

Risk and Exploitability

The CVSS score of 5.5 reflects a medium severity, while the EPSS score of less than 1 % indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local or requires elevated privileges to manipulate Btrfs metadata or intentionally trigger a replay failure. Existing patches add a NULL check to prevent the crash; systems that have not applied the fix remain vulnerable to a condition that may cause a kernel panic.

Generated by OpenCVE AI on April 18, 2026 at 14:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that contains the Btrfs null‑pointer dereference fix and reboot to activate it.
  • If an immediate kernel upgrade is not available, restrict the use of Btrfs or keep systems out of production until a patched kernel is deployed.
  • Continue to monitor kernel logs for Btrfs‑related panic messages so that any remaining instances of the flaw can be detected and mitigated promptly.

Generated by OpenCVE AI on April 18, 2026 at 14:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 04 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay(). When btrfs_alloc_path() fails in replay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay() calls do_abort_log_replay() which unconditionally dereferences wc->subvol_path when attempting to print debug information. Fix this by adding a NULL check before dereferencing wc->subvol_path in do_abort_log_replay().
Title btrfs: fix NULL pointer dereference in do_abort_log_replay()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:38.268Z

Reserved: 2026-01-13T15:37:45.944Z

Link: CVE-2026-23043

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-02-04T16:16:19.793

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23043

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23043 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses