Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()

After commit 1618aa3c2e01 ("btrfs: simplify return variables in
lookup_extent_data_ref()"), the err and ret variables were merged into
a single ret variable. However, when btrfs_next_leaf() returns 0
(success), ret is overwritten from -ENOENT to 0. If the first key in
the next leaf does not match (different objectid or type), the function
returns 0 instead of -ENOENT, making the caller believe the lookup
succeeded when it did not. This can lead to operations on the wrong
extent tree item, potentially causing extent tree corruption.

Fix this by returning -ENOENT directly when the key does not match,
instead of relying on the ret variable.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Data Loss/Corruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the Btrfs file‑system implementation of the Linux kernel. During a leaf lookup, the code incorrectly returns 0 when the next leaf’s key does not match, causing the caller to believe the lookup succeeded. The erroneous success flag can lead to operations on a wrong extent tree item, thereby corrupting the extent tree. This flaw falls under CWE‑393 (Incorrect Error Handling).

Affected Systems

All Linux kernel versions that include the Btrfs module are affected, as indicated by the CPE list covering Linux Kernel 6.10 and the 7.0 release candidates. Any system using these kernels with active Btrfs file systems is at risk.

Risk and Exploitability

The CVSS score of 7.8 denotes high severity, yet the EPSS score of less than 1% indicates a very low likelihood of exploitation at this time. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation would likely require local access to a system performing Btrfs operations, and an attacker would aim to trigger the faulty lookup path to corrupt the file‑system. The attack vector is inferred to be local file‑system activity; no remote network exposure is mentioned in the description.

Generated by OpenCVE AI on April 28, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that incorporates the patch (commit 1618aa3c2e01).
  • Reboot the system into the updated kernel so that all Btrfs operations use the corrected code.
  • If a kernel upgrade is not immediately possible, remount any Btrfs volumes as read‑only or suspend write activity until the fix is deployed.

Generated by OpenCVE AI on April 28, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.10:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-393
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of -ENOENT, making the caller believe the lookup succeeded when it did not. This can lead to operations on the wrong extent tree item, potentially causing extent tree corruption. Fix this by returning -ENOENT directly when the key does not match, instead of relying on the ret variable.
Title btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:13:14.315Z

Reserved: 2026-03-09T15:48:24.129Z

Link: CVE-2026-31666

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:46.290

Modified: 2026-04-27T20:00:27.157

Link: CVE-2026-31666

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31666 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:45:06Z

Weaknesses