CVE-2026-46251: btrfs: fix block_group_tree dirty_list corruption
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block_group_tree dirty_list corruption When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the block group tree to the switch_commits list before calling switch_commit_roots, as we do for the tree root and the chunk root. However, the block group tree uses normal root dirty tracking and in any transaction that does an allocation and dirties a block group, the block group root will already be linked to a list by the dirty_list field and this use of list_add_tail() is invalid and corrupts the prev/next members of block_group_root->dirty_list. This is apparent on a subsequent list_del on the prev if we enable CONFIG_DEBUG_LIST: [32.1571] ------------[ cut here ]------------ [32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538) [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607 [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none) [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014 [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120 [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202 [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538 [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00 [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538 [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538 [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000 [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0 [32.1609] Call Trace: [32.1610] <TASK> [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs] [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs] [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs] [32.1621] __iterate_supers+0xe8/0x190 [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10 [32.1623] ksys_sync+0x63/0xb0 [32.1624] __do_sys_sync+0xe/0x20 [32.1625] do_syscall_64+0x73/0x450 [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e [32.1627] RIP: 0033:0x7f0c28d05d2b [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2 [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000 [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80 [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034 [32.1643] </TASK> [32.1644] irq event stamp: 0 [32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0 [32.1652] ---[ end trace 0000000000000000 ]--- Furthermore, this list corruption eventually (when we happen to add a new block group) results in getting the switch_commits and dirty_cowonly_roots lists mixed up and attempting to call update_root on the tree root which can't be found in the tree root, resulting in a transaction abort: [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1 [87.8272] ------------[ cut here ]------------ [87.8274] BTRFS: Transaction aborted (error -117) [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703 [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none) [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0 ---truncated---
Metrics
- CVSS v3.1
- 8.4
- Severity
- HIGH
- Fixed in
- 0
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A linked-list corruption bug exists in the btrfs filesystem driver of the Linux kernel. The flaw is exploitable locally without any credentials and without requiring interaction from another user. Successful exploitation gives an attacker full read, write, and crash capability over the affected system. A patched-image rebuild at fix version 6.1 is available on HarborGuard for environments running an affected kernel version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that carry an affected kernel version. Coverage applies to both registry scans and inline pipeline checks at build time.
AvailableHarborGuard scores this CVE at CVSS 8.4 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within the customer org based on image ownership and policy configuration.
AvailableA patched-image rebuild targeting fix version 6.1 is available on HarborGuard for any image found to carry an affected kernel version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target service is required.
- AuthenticationNot required
No credentials or account privileges are required to trigger the vulnerability.
- Victim interactionNot required
Exploitation is fully attacker-driven; no action from another user is needed.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions or special environmental layout need to be arranged.
Blast Radius
- Reads protected kernel memory and any data accessible to the kernel, including credentials and filesystem contents.
- Modifies kernel data structures, allowing corruption of filesystem metadata or arbitrary writes within kernel address space.
- Crashes the affected system by corrupting the btrfs block group dirty-list, triggering a kernel panic or BUG() condition on the next transaction commit.
- All three impacts can be combined in a single exploit session, giving an attacker full control over the host.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication against every image in a customer registry or build pipeline, including custom kernels that vendor or repackage the affected btrfs code. Triage is automatic, with CVSS 8.4 HIGH severity and per-environment compliance policy weighting routing the finding to the right team. A patched-image rebuild at version 6.1 becomes available as soon as the fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Customers who manage remediation manually can act on the finding in their HarborGuard dashboard immediately after detection.
Fix available
- Linux / Linux< 6e10283b5519d987d880d71bec90cdc7f2ec62b3 (from 14033b08a02916e85ffc5397e4ac15337359f3ae) · < e3d1fd084319f8f0830b22f014c7af6a96b4497b (from 14033b08a02916e85ffc5397e4ac15337359f3ae) · < 4eb830847d84276f1c8ea46541cfeeedaba1fb63 (from 14033b08a02916e85ffc5397e4ac15337359f3ae) · < 80e1fda9c084dcf54819a12bc7682ec0afd2d8f4 (from 14033b08a02916e85ffc5397e4ac15337359f3ae) · < 201091da34c4f113af6b4a7407091c39bf29d4ca (from 14033b08a02916e85ffc5397e4ac15337359f3ae) · < 3a1f4264daed4b419c325a7fe35e756cada3cf82 (from 14033b08a02916e85ffc5397e4ac15337359f3ae)
- Linux / Linux6.1Fixed in 0, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H