Description
In the Linux kernel, the following vulnerability has been resolved:

btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()

Call rcu_read_lock() before exiting the loop in
try_release_subpage_extent_buffer() because there is a rcu_read_unlock()
call past the loop.

This has been detected by the Clang thread-safety analyzer.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An omission of an RCU unlock on the error path of try_release_subpage_extent_buffer() in the Linux kernel allows a use‑after‑free or other memory corruption in kernel space. Because the RCU lock is not released when an error occurs, a freed object can still be accessed, potentially leading to kernel crashes or instability. This flaw was detected by the Clang thread‑safety analyzer and is reflected in an upstream patch that adds the missing unlock.

Affected Systems

The vulnerability affects any configuration of the Linux kernel that contains the buggy btrfs implementation. Affected systems include all Linux kernel builds prior to the inclusion of the commit that adds the RCU unlock in try_release_subpage_extent_buffer(). No specific kernel versions are listed; therefore any kernel containing the unpatched btrfs code is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. EPSS data is not available and the vulnerability is not present in the CISA KEV catalog, so the likelihood of exploitation is uncertain. Attackers would need to trigger the error path in try_release_subpage_extent_buffer(), which requires local privileged or kernel code execution. If successful, the resulting use‑after‑free could lead to a kernel panic or provide a foothold for arbitrary code execution.

Generated by OpenCVE AI on May 9, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the patch fixing the missing RCU unlock in try_release_subpage_extent_buffer()
  • If immediate update is not possible, avoid using btrfs on the system or disable the filesystem
  • Monitor kernel logs for btrfs‑related panic or RCU errors, and consider running the Clang thread‑safety analyzer on any custom kernel code

Generated by OpenCVE AI on May 9, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Fri, 08 May 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer() Call rcu_read_lock() before exiting the loop in try_release_subpage_extent_buffer() because there is a rcu_read_unlock() call past the loop. This has been detected by the Clang thread-safety analyzer.
Title btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:13.719Z

Reserved: 2026-05-01T14:12:56.005Z

Link: CVE-2026-43358

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:46.607

Modified: 2026-05-08T15:16:46.607

Link: CVE-2026-43358

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43358 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:30:17Z

Weaknesses