CVE-2026-43118
Awaiting Analysis Awaiting Analysis - Queue
Btrfs Inode Size Corruption After Log Replay

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix zero size inode with non-zero size after log replay When logging that an inode exists, as part of logging a new name or logging new dir entries for a directory, we always set the generation of the logged inode item to 0. This is to signal during log replay (in overwrite_item()), that we should not set the i_size since we only logged that an inode exists, so the i_size of the inode in the subvolume tree must be preserved (as when we log new names or that an inode exists, we don't log extents). This works fine except when we have already logged an inode in full mode or it's the first time we are logging an inode created in a past transaction, that inode has a new i_size of 0 and then we log a new name for the inode (due to a new hardlink or a rename), in which case we log an i_size of 0 for the inode and a generation of 0, which causes the log replay code to not update the inode's i_size to 0 (in overwrite_item()). An example scenario: mkdir /mnt/dir xfs_io -f -c "pwrite 0 64K" /mnt/dir/foo sync xfs_io -c "truncate 0" -c "fsync" /mnt/dir/foo ln /mnt/dir/foo /mnt/dir/bar xfs_io -c "fsync" /mnt/dir <power fail> After log replay the file remains with a size of 64K. This is because when we first log the inode, when we fsync file foo, we log its current i_size of 0, and then when we create a hard link we log again the inode in exists mode (LOG_INODE_EXISTS) but we set a generation of 0 for the inode item we add to the log tree, so during log replay overwrite_item() sees that the generation is 0 and i_size is 0 so we skip updating the inode's i_size from 64K to 0. Fix this by making sure at fill_inode_item() we always log the real generation of the inode if it was logged in the current transaction with the i_size we logged before. Also if an inode created in a previous transaction is logged in exists mode only, make sure we log the i_size stored in the inode item located from the commit root, so that if we log multiple times that the inode exists we get the correct i_size. A test case for fstests will follow soon.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-05-06
AI Q&A
2026-05-06
EPSS Evaluated
N/A
NVD
CVE-2026-43118
EUVD
EUVD-2026-27645
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's btrfs filesystem related to how inode sizes are logged and replayed after a crash or power failure.

When the filesystem logs that an inode exists (for example, when logging new directory entries or hardlinks), it sets the inode generation to 0 to indicate that the inode size (i_size) should not be updated during log replay.

However, if an inode was previously logged with a non-zero size and then later logged as existing with a generation of 0 and size 0 (such as after truncating a file and creating a hard link), the log replay process incorrectly skips updating the inode size.

As a result, after a crash and log replay, the file size may remain at its old value instead of being updated to zero, causing inconsistency between the actual file content and its recorded size.

The fix ensures that the real inode generation is logged properly and the correct inode size is preserved during log replay.


How can this vulnerability impact me? :

This vulnerability can cause files to have incorrect sizes after a system crash or power failure.

Specifically, a file that was truncated to zero size might still appear to have its old size after log replay, leading to potential data inconsistency.

This can impact applications or users relying on accurate file size information, potentially causing errors in file processing, backup, or synchronization operations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart