CVE-2026-23249 - Vulnerability Details

- xfs: check for deleted cursors when revalidating two btrees

Description

In the Linux kernel, the following vulnerability has been resolved:

xfs: check for deleted cursors when revalidating two btrees

The free space and inode btree repair functions will rebuild both btrees
at the same time, after which it needs to evaluate both btrees to
confirm that the corruptions are gone.

However, Jiaming Zhang ran syzbot and produced a crash in the second
xchk_allocbt call. His root-cause analysis is as follows (with minor
corrections):

In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first
for BNOBT, second for CNTBT). The cause of this issue is that the
first call nullified the cursor required by the second call.

Let's first enter xrep_revalidate_allocbt() via following call chain:

xfs_file_ioctl() ->
xfs_ioc_scrubv_metadata() ->
xfs_scrub_metadata() ->
`sc->ops->repair_eval(sc)` ->
xrep_revalidate_allocbt()

xchk_allocbt() is called twice in this function. In the first call:

/* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */
xchk_allocbt() ->
xchk_btree() ->
`bs->scrub_rec(bs, recp)` ->
xchk_allocbt_rec() ->
xchk_allocbt_xref() ->
xchk_allocbt_xref_other()

since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.
Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call
chain:

xfs_alloc_get_rec() ->
xfs_btree_get_rec() ->
xfs_btree_check_block() ->
(XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter
is true, return -EFSCORRUPTED. This should be caused by
ioctl$XFS_IOC_ERROR_INJECTION I guess.

Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from
xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this
function, *curpp (points to sc->sa.cnt_cur) is nullified.

Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been
nullified, it then triggered null-ptr-deref via xchk_allocbt() (second
call) -> xchk_btree().

So. The bnobt revalidation failed on a cross-reference attempt, so we
deleted the cntbt cursor, and then crashed when we tried to revalidate
the cntbt. Therefore, check for a null cntbt cursor before that
revalidation, and mark the repair incomplete. Also we can ignore the
second tree entirely if the first tree was rebuilt but is already
corrupt.

Apply the same fix to xrep_revalidate_iallocbt because it has the same
problem.

Published: 2026-03-18

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper cursor handling bug in the Linux kernel’s XFS file system. During btree revalidation, the first call to the allocation routine clears a cursor used by the second call, resulting in an unguarded null‑pointer dereference. This leads to a kernel crash when the XFS ioctl or ioctl error‑injection path is exercised. The crash is a non‑privileged denial of service that can be triggered by any user who can run the XFS ioctl or a malformed file system operation, causing an entire system or at least the affected XFS mount to become unresponsive.

Affected Systems

All Linux kernel releases that include the buggy XFS btree repair logic are affected. The known CVE advisory does not list explicit version ranges, but the issue has been observed in recent kernel revisions before the fix was applied. Any system running a kernel that has not been updated to the merge containing the patch (identified by the commit graph references) is likely vulnerable.

Risk and Exploitability

The CVSS score of 7.0 reflects a high impact with local privilege or local user context. The EPSS score is unavailable, and the vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities catalog, indicating limited evidence of widespread exploitation. However, the repair logic is part of everyday file system maintenance and repair commands, meaning that a local attacker can realistically trigger the fault. The exploitability requires the attacker to deliver a crafted ioctl or create specific corruption conditions, which is feasible for a local user or a malicious kernel module.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`dbfbf3bdf639a20da7d5fb390cd2e197d25aa418`	affected	< d69de525bc7ab27713342080bf50826df3f6a68f
`dbfbf3bdf639a20da7d5fb390cd2e197d25aa418`	affected	< b04baa848c0543b240b1bd8aecff470382f6f154
`dbfbf3bdf639a20da7d5fb390cd2e197d25aa418`	affected	< 5991e96f2ae82df60a3e4ed00f3432d9f3502a99
`dbfbf3bdf639a20da7d5fb390cd2e197d25aa418`	affected	< 55e03b8cbe2783ec9acfb88e8adb946ed504e117

Linux

affected

Version	Status	Constraints
`6.8`	affected	—
`0`	unaffected	< 6.8
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[dbfbf3bdf639a20da7d5fb390cd2e197d25aa418,d69de525bc7ab27713342080bf50826df3f6a68f)`	affected	code_commit	—
`[dbfbf3bdf639a20da7d5fb390cd2e197d25aa418,b04baa848c0543b240b1bd8aecff470382f6f154)`	affected	code_commit	—
`[dbfbf3bdf639a20da7d5fb390cd2e197d25aa418,5991e96f2ae82df60a3e4ed00f3432d9f3502a99)`	affected	code_commit	—
`[dbfbf3bdf639a20da7d5fb390cd2e197d25aa418,55e03b8cbe2783ec9acfb88e8adb946ed504e117)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.8`	affected	generic	—
`[0,6.8)`	unaffected	generic	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the current kernel version and verify if the commit that removes the null cursor dereference (see the review discussion and merge references) is present; if not, plan an immediate kernel upgrade or backport the patch. Upgrade to the latest stable kernel from the distribution or vendor that contains the fix for XFS btree revalidation. Monitor vendor advisories and security mailing lists for a release note announcing the inclusion of the patch. If a kernel upgrade cannot be performed immediately, consider disabling or restricting the XFS ioctl interface used for error injection in environments where the threat is a concern. Ensure that any automated file‑system repair tools that invoke XFS scrub operations are run only when the system is fully patched.

Generated by OpenCVE AI on March 19, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/55e03b8cbe2783ec9acfb88e8adb946ed504e117
https://git.kernel.org/stable/c/5991e96f2ae82df60a3e4ed00f3432d9f3502a99
https://git.kernel.org/stable/c/b04baa848c0543b240b1bd8aecff470382f6f154
https://git.kernel.org/stable/c/d69de525bc7ab27713342080bf50826df3f6a68f
https://lore.kernel.org/linux-cve-announce/2026031843-CVE-2026-23249-c309@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23249
https://www.cve.org/CVERecord?id=CVE-2026-23249

History

Thu, 19 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026031843-CVE-2026-23249-c309@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23249 https://www.cve.org/CVERecord?id=CVE-2026-23249
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 18 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfs: check for deleted cursors when revalidating two btrees The free space and inode btree repair functions will rebuild both btrees at the same time, after which it needs to evaluate both btrees to confirm that the corruptions are gone. However, Jiaming Zhang ran syzbot and produced a crash in the second xchk_allocbt call. His root-cause analysis is as follows (with minor corrections): In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first for BNOBT, second for CNTBT). The cause of this issue is that the first call nullified the cursor required by the second call. Let's first enter xrep_revalidate_allocbt() via following call chain: xfs_file_ioctl() -> xfs_ioc_scrubv_metadata() -> xfs_scrub_metadata() -> `sc->ops->repair_eval(sc)` -> xrep_revalidate_allocbt() xchk_allocbt() is called twice in this function. In the first call: /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now / xchk_allocbt() -> xchk_btree() -> `bs->scrub_rec(bs, recp)` -> xchk_allocbt_rec() -> xchk_allocbt_xref() -> xchk_allocbt_xref_other() since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur. Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call chain: xfs_alloc_get_rec() -> xfs_btree_get_rec() -> xfs_btree_check_block() -> (XFS_IS_CORRUPT \|\| XFS_TEST_ERROR), the former is false and the latter is true, return -EFSCORRUPTED. This should be caused by ioctl$XFS_IOC_ERROR_INJECTION I guess. Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this function, curpp (points to sc->sa.cnt_cur) is nullified. Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been nullified, it then triggered null-ptr-deref via xchk_allocbt() (second call) -> xchk_btree(). So. The bnobt revalidation failed on a cross-reference attempt, so we deleted the cntbt cursor, and then crashed when we tried to revalidate the cntbt. Therefore, check for a null cntbt cursor before that revalidation, and mark the repair incomplete. Also we can ignore the second tree entirely if the first tree was rebuilt but is already corrupt. Apply the same fix to xrep_revalidate_iallocbt because it has the same problem.
Title		xfs: check for deleted cursors when revalidating two btrees
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/55e03b8cbe2783ec9acfb88e8adb946ed504e117 https://git.kernel.org/stable/c/5991e96f2ae82df60a3e4ed00f3432d9f3502a99 https://git.kernel.org/stable/c/b04baa848c0543b240b1bd8aecff470382f6f154 https://git.kernel.org/stable/c/d69de525bc7ab27713342080bf50826df3f6a68f

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-18T17:01:40.653Z

Updated: 2026-04-13T06:03:07.322Z

Reserved: 2026-01-13T15:37:45.989Z

Link: CVE-2026-23249

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:22.787

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-23249

Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23249 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-24T10:58:31Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object