CVE-2026-46251
Received Received - Intake
Btrfs filesystem corruption due to dirty_list handling flaw

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block_group_tree dirty_list corruption When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the block group tree to the switch_commits list before calling switch_commit_roots, as we do for the tree root and the chunk root. However, the block group tree uses normal root dirty tracking and in any transaction that does an allocation and dirties a block group, the block group root will already be linked to a list by the dirty_list field and this use of list_add_tail() is invalid and corrupts the prev/next members of block_group_root->dirty_list. This is apparent on a subsequent list_del on the prev if we enable CONFIG_DEBUG_LIST: [32.1571] ------------[ cut here ]------------ [32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538) [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607 [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none) [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014 [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120 [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202 [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538 [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00 [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538 [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538 [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000 [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0 [32.1609] Call Trace: [32.1610] <TASK> [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs] [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs] [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs] [32.1621] __iterate_supers+0xe8/0x190 [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10 [32.1623] ksys_sync+0x63/0xb0 [32.1624] __do_sys_sync+0xe/0x20 [32.1625] do_syscall_64+0x73/0x450 [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e [32.1627] RIP: 0033:0x7f0c28d05d2b [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2 [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000 [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80 [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034 [32.1643] </TASK> [32.1644] irq event stamp: 0 [32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0 [32.1652] ---[ end trace 0000000000000000 ]--- Furthermore, this list corruption eventually (when we happen to add a new block group) results in getting the switch_commits and dirty_cowonly_roots lists mixed up and attempting to call update_root on the tree root which can't be found in the tree root, resulting in a transaction abort: [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1 [87.8272] ------------[ cut here ]------------ [87.8274] BTRFS: Transaction aborted (error -117) [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703 [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none) [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0 ---truncated---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-04
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-46251
EUVD
EUVD-2026-34113
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux kernel 6.18.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's btrfs filesystem. When the EXTENT_TREE_V2 incompatibility flag is set, the block group tree is incorrectly added to a list called switch_commits before a function called switch_commit_roots is called. The block group tree uses a different method for tracking changes (normal root dirty tracking), so adding it unconditionally corrupts the linked list structure that tracks dirty block groups.

This corruption leads to invalid pointers in the list, which can cause errors during list operations, such as list deletion. When debugging is enabled, this manifests as list_del corruption warnings and kernel warnings.

Eventually, this list corruption can cause the system to mix up internal lists and attempt to update a tree root that does not exist, resulting in a transaction abort in the btrfs filesystem.


How can this vulnerability impact me? :

This vulnerability can cause corruption of internal data structures in the btrfs filesystem, leading to kernel warnings and errors.

The corruption can cause transactions in the filesystem to abort unexpectedly, which may result in failed writes or data operations.

In practical terms, this could lead to instability of the filesystem, potential data loss, or system crashes when using btrfs with the affected kernel versions and configurations.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as corruption in the block_group_tree dirty_list in the Linux kernel's btrfs filesystem when the EXTENT_TREE_V2 incompat flag is set. Detection can be done by monitoring kernel logs for specific error messages related to list corruption and transaction aborts.

  • Look for kernel log messages indicating list_del corruption, such as: "list_del corruption. next->prev should be..., but was..."
  • Check for BTRFS critical errors in kernel logs, for example: "BTRFS critical (device ...): unable to find root key (1 0 0) in tree 1" and "BTRFS: Transaction aborted (error -117)".
  • Enable CONFIG_DEBUG_LIST in the kernel configuration to get detailed list corruption warnings.
  • Use the command `dmesg | grep -i 'list_del corruption'` to search for list corruption errors in kernel logs.
  • Use `dmesg | grep -i btrfs` to find BTRFS related critical errors.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, the primary step is to update the Linux kernel to a version where this btrfs block_group_tree dirty_list corruption issue has been fixed.

Since the issue occurs when the EXTENT_TREE_V2 incompat flag is set and involves corruption during transactions, avoiding workloads that trigger heavy btrfs block group allocations or transactions until patched may reduce risk.

Enabling kernel debugging options like CONFIG_DEBUG_LIST can help detect corruption early but does not mitigate the vulnerability itself.

Regularly monitor kernel logs for signs of corruption or transaction aborts to respond quickly.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart