CVE-2026-23251 - Vulnerability Details

- xfs: only call xf{array,blob}_destroy if we have a valid pointer

Description

In the Linux kernel, the following vulnerability has been resolved:

xfs: only call xf{array,blob}_destroy if we have a valid pointer

Only call the xfarray and xfblob destructor if we have a valid pointer,
and be sure to null out that pointer afterwards. Note that this patch
fixes a large number of commits, most of which were merged between 6.9
and 6.10.

Published: 2026-03-18

Score: 7.0 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux XFS filesystem contains a flaw in which the xfarray and xfblob destructors are invoked without confirming that the pointer is valid. This use‑after‑free can corrupt kernel memory. If an attacker can cause the buggy destructor path to run, the kernel may crash or an attacker could gain execution at kernel privilege level, leading to denial of service or privilege escalation.

Affected Systems

All Linux kernel releases that incorporated the buggy XFS logic are impacted. This includes kernels from 6.9 and 6.10 as well as earlier releases that had not yet received the patch. Any system running these kernels with XFS support is vulnerable.

Risk and Exploitability

The CVSS score of 7.0 indicates a moderate‑to‑high severity. The EPSS score is below 1 % and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need to trigger XFS file operations that exercise the destructor paths, implying a local or privileged access requirement. If unpatched, the risk remains substantial; patching mitigates the vulnerability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ab97f4b1c030750f2475bf4da8a9554d02206640`	affected	< 5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202
`ab97f4b1c030750f2475bf4da8a9554d02206640`	affected	< c9ccefacae0d8091683447bc338bd7741417039d
`ab97f4b1c030750f2475bf4da8a9554d02206640`	affected	< d827612c81a26cc1dd83a211cfcb5ad8765da0c4
`ab97f4b1c030750f2475bf4da8a9554d02206640`	affected	< ba408d299a3bb3c5309f40c5326e4fb83ead4247

Linux

affected

Version	Status	Constraints
`6.10`	affected	—
`0`	unaffected	< 6.10
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ab97f4b1c030750f2475bf4da8a9554d02206640,5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202)`	affected	code_commit	—
`[ab97f4b1c030750f2475bf4da8a9554d02206640,ba408d299a3bb3c5309f40c5326e4fb83ead4247)`	affected	code_commit	—
`[ab97f4b1c030750f2475bf4da8a9554d02206640,d827612c81a26cc1dd83a211cfcb5ad8765da0c4)`	affected	code_commit	—
`[ab97f4b1c030750f2475bf4da8a9554d02206640,c9ccefacae0d8091683447bc338bd7741417039d)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.10`	affected	generic	—
`[0,6.10)`	unaffected	generic	—
`[6.12.75,6.12.*]`	unaffected	generic	—
`[6.18.16,6.18.*]`	unaffected	generic	—
`[6.19.6,6.19.*]`	unaffected	generic	—
`[7.0-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the XFS fix, such as 6.10 or later.
Verify that the running kernel is the patched version using uname -r and reboot the system if necessary.
Check vendor advisories or security bulletins for additional guidance or required configuration changes.
Consider disabling or restricting XFS usage on systems that do not need it, as a temporary measure if an immediate kernel upgrade is not possible.

Generated by OpenCVE AI on March 27, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202
https://git.kernel.org/stable/c/ba408d299a3bb3c5309f40c5326e4fb83ead4247
https://git.kernel.org/stable/c/c9ccefacae0d8091683447bc338bd7741417039d
https://git.kernel.org/stable/c/d827612c81a26cc1dd83a211cfcb5ad8765da0c4
https://lore.kernel.org/linux-cve-announce/2026031845-CVE-2026-23251-259a@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23251
https://www.cve.org/CVERecord?id=CVE-2026-23251

History

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Thu, 26 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Wed, 25 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Tue, 24 Mar 2026 13:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 19 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026031845-CVE-2026-23251-259a@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23251 https://www.cve.org/CVERecord?id=CVE-2026-23251
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Moderate`

Wed, 18 Mar 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: xfs: only call xf{array,blob}_destroy if we have a valid pointer Only call the xfarray and xfblob destructor if we have a valid pointer, and be sure to null out that pointer afterwards. Note that this patch fixes a large number of commits, most of which were merged between 6.9 and 6.10.
Title		xfs: only call xf{array,blob}_destroy if we have a valid pointer
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202 https://git.kernel.org/stable/c/ba408d299a3bb3c5309f40c5326e4fb83ead4247 https://git.kernel.org/stable/c/c9ccefacae0d8091683447bc338bd7741417039d https://git.kernel.org/stable/c/d827612c81a26cc1dd83a211cfcb5ad8765da0c4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-18T17:01:42.483Z

Updated: 2026-04-13T06:03:09.663Z

Reserved: 2026-01-13T15:37:45.990Z

Link: CVE-2026-23251

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:23.090

Modified: 2026-03-19T13:25:00.570

Link: CVE-2026-23251

Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23251 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T15:48:30Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object