CVE-2026-23251 - Vulnerability Details

- xfs: only call xf{array,blob}_destroy if we have a valid pointer

Description

In the Linux kernel, the following vulnerability has been resolved:

xfs: only call xf{array,blob}_destroy if we have a valid pointer

Only call the xfarray and xfblob destructor if we have a valid pointer,
and be sure to null out that pointer afterwards. Note that this patch
fixes a large number of commits, most of which were merged between 6.9
and 6.10.

Published: 2026-03-18

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux XFS filesystem contains a flaw in which the xfarray and xfblob destructors are invoked without confirming that the pointer is valid. This null pointer dereference can corrupt kernel memory or crash the kernel, allowing an attacker to gain kernel‑level execution or cause a denial of service. If an attacker can cause the buggy destructor path to run, the kernel may crash or an attacker could gain execution at kernel privilege level, leading to denial of service or privilege escalation.

Affected Systems

All Linux kernel releases that incorporated the buggy XFS logic before it was patched are impacted. The CVE data does not specify exact version numbers, so any system running those kernels with XFS support is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need to trigger XFS file operations that exercise the destructor paths, implying a local or privileged access requirement. If unpatched, the risk remains substantial; patching mitigates the vulnerability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ab97f4b1c030750f2475bf4da8a9554d02206640`	affected	< 5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202
`ab97f4b1c030750f2475bf4da8a9554d02206640`	affected	< c9ccefacae0d8091683447bc338bd7741417039d
`ab97f4b1c030750f2475bf4da8a9554d02206640`	affected	< d827612c81a26cc1dd83a211cfcb5ad8765da0c4
`ab97f4b1c030750f2475bf4da8a9554d02206640`	affected	< ba408d299a3bb3c5309f40c5326e4fb83ead4247

Linux

affected

Version	Status	Constraints
`6.10`	affected	—
`0`	unaffected	< 6.10
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ab97f4b1c030750f2475bf4da8a9554d02206640,5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202)`	affected	code_commit	—
`[ab97f4b1c030750f2475bf4da8a9554d02206640,ba408d299a3bb3c5309f40c5326e4fb83ead4247)`	affected	code_commit	—
`[ab97f4b1c030750f2475bf4da8a9554d02206640,d827612c81a26cc1dd83a211cfcb5ad8765da0c4)`	affected	code_commit	—
`[ab97f4b1c030750f2475bf4da8a9554d02206640,c9ccefacae0d8091683447bc338bd7741417039d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.10`	affected	generic	—
`[0,6.10)`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.16,6.18.*]`	unaffected	generic	—
`[6.19.6,6.19.*]`	unaffected	generic	—
`[7.0-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the XFS fix.
Consider disabling or restricting XFS usage on systems that do not need it, as a temporary measure if an immediate kernel upgrade is not possible.
Check vendor advisories or security bulletins for additional guidance or required configuration changes.

Generated by OpenCVE AI on May 21, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202
https://git.kernel.org/stable/c/ba408d299a3bb3c5309f40c5326e4fb83ead4247
https://git.kernel.org/stable/c/c9ccefacae0d8091683447bc338bd7741417039d
https://git.kernel.org/stable/c/d827612c81a26cc1dd83a211cfcb5ad8765da0c4
https://lore.kernel.org/linux-cve-announce/2026031845-CVE-2026-23251-259a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23251
https://www.cve.org/CVERecord?id=CVE-2026-23251

History

Thu, 21 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416

Thu, 21 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
Metrics	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Wed, 25 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Tue, 24 Mar 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 19 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026031845-CVE-2026-23251-259a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23251 https://www.cve.org/CVERecord?id=CVE-2026-23251
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 18 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfs: only call xf{array,blob}_destroy if we have a valid pointer Only call the xfarray and xfblob destructor if we have a valid pointer, and be sure to null out that pointer afterwards. Note that this patch fixes a large number of commits, most of which were merged between 6.9 and 6.10.
Title		xfs: only call xf{array,blob}_destroy if we have a valid pointer
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202 https://git.kernel.org/stable/c/ba408d299a3bb3c5309f40c5326e4fb83ead4247 https://git.kernel.org/stable/c/c9ccefacae0d8091683447bc338bd7741417039d https://git.kernel.org/stable/c/d827612c81a26cc1dd83a211cfcb5ad8765da0c4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-18T17:01:42.483Z

Updated: 2026-05-11T22:03:14.783Z

Reserved: 2026-01-13T15:37:45.990Z

Link: CVE-2026-23251

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-18T18:16:23.090

Modified: 2026-05-21T18:30:19.560

Link: CVE-2026-23251

Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23251 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-21T21:30:19Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object