CVE-2026-23223 - Vulnerability Details

- xfs: fix UAF in xchk_btree_check_block_owner

Description

In the Linux kernel, the following vulnerability has been resolved:

xfs: fix UAF in xchk_btree_check_block_owner

We cannot dereference bs->cur when trying to determine if bs->cur
aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.
Fix this by sampling before type before any freeing could happen.
The correct temporal ordering was broken when we removed xfs_btnum_t.

Published: 2026-02-18

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability manifests as a use‑after‑free bug in the XFS filesystem component of the Linux kernel, occurring when the code dereferences a freed pointer while checking block ownership in a B‑tree. This flaw can corrupt kernel memory and lead to a kernel crash, potentially causing denial of service. While kernel memory corruption could be leveraged for arbitrary code execution in theory, the CVE description does not detail a confirmed execution path, so such an outcome requires additional conditions not specified in the report.

Affected Systems

The flaw affects any Linux kernel that includes the XFS filesystem and does not contain the patch that fixed the temporal ordering issue in the use‑after‑free. No specific downstream version numbers are listed, so all kernels lacking the commit that performed the fix are considered vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a moderate‑to‑high severity, but the EPSS of <1% suggests a low likelihood of active exploitation. The flaw is not listed in the CISA KEV catalog. Because the vulnerable code resides in the filesystem driver, the most likely attack vector is local and requires manipulation of XFS file system data by a privileged or compromised process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ec793e690f801d97a7ae2a0d429fea1fee4d44aa`	affected	< 1d411278dda293a507cb794db7d9ed3511c685c6
`ec793e690f801d97a7ae2a0d429fea1fee4d44aa`	affected	< ed82e7949f5cac3058f4100f3cd670531d41a266
`ec793e690f801d97a7ae2a0d429fea1fee4d44aa`	affected	< ba5264610423d9653aa36920520902d83841bcfd
`ec793e690f801d97a7ae2a0d429fea1fee4d44aa`	affected	< 1c253e11225bc5167217897885b85093e17c2217

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.12.72`	unaffected	≤ 6.12.*
`6.18.11`	unaffected	≤ 6.18.*
`6.19.1`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1d411278dda293a507cb794db7d9ed3511c685c6)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ed82e7949f5cac3058f4100f3cd670531d41a266)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ba5264610423d9653aa36920520902d83841bcfd)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.12.72,6.12.*]`	unaffected	generic	—
`[6.18.11,6.18.*]`	unaffected	generic	—
`[6.19.1,6.19.*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the CVE-2026-23223 fix (refer to the patch commit in the Linux kernel Git repository).
If a kernel upgrade is not immediately possible, unmount or otherwise disable XFS filesystems to prevent the vulnerable code path from being executed.
Apply any vendor backport that incorporates the same use‑after‑free fix for your kernel version.

Generated by OpenCVE AI on April 15, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6141-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1c253e11225bc5167217897885b85093e17c2217
https://git.kernel.org/stable/c/1d411278dda293a507cb794db7d9ed3511c685c6
https://git.kernel.org/stable/c/ba5264610423d9653aa36920520902d83841bcfd
https://git.kernel.org/stable/c/ed82e7949f5cac3058f4100f3cd670531d41a266
https://lore.kernel.org/linux-cve-announce/2026021806-CVE-2026-23223-e3d3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23223
https://www.cve.org/CVERecord?id=CVE-2026-23223

History

Wed, 18 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 23 Feb 2026 03:30:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/1c253e11225bc5167217897885b85093e17c2217

Fri, 20 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026021806-CVE-2026-23223-e3d3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23223 https://www.cve.org/CVERecord?id=CVE-2026-23223
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 18 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfs: fix UAF in xchk_btree_check_block_owner We cannot dereference bs->cur when trying to determine if bs->cur aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed. Fix this by sampling before type before any freeing could happen. The correct temporal ordering was broken when we removed xfs_btnum_t.
Title		xfs: fix UAF in xchk_btree_check_block_owner
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1d411278dda293a507cb794db7d9ed3511c685c6 https://git.kernel.org/stable/c/ba5264610423d9653aa36920520902d83841bcfd https://git.kernel.org/stable/c/ed82e7949f5cac3058f4100f3cd670531d41a266

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-18T14:53:26.603Z

Updated: 2026-04-13T06:02:38.635Z

Reserved: 2026-01-13T15:37:45.987Z

Link: CVE-2026-23223

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-02-18T16:22:32.037

Modified: 2026-03-18T14:46:29.523

Link: CVE-2026-23223

Redhat

Severity : Moderate

Publid Date: 2026-02-18T00:00:00Z

Links: CVE-2026-23223 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object