MEDIUM 5.5

CVE-2026-46160

A flaw in the Linux kernel's Btrfs filesystem can corrupt the transaction log during recovery if a directory is removed while a process still holds an open file descriptor to it and performs an fsync operation. When the system crashes after this sequence, the filesystem becomes inconsistent and fails to mount, resulting in data loss or extended downtime. This is a local issue requiring user-level access and specific conditions to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
2 configuration(s)
Published / Modified
2026-05-28 / 2026-06-19

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix missing last_unlink_trans update when removing a directory When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it. Example scenario: mkdir /mnt/dir1 mkdir /mnt/dir1/dir2 mkdir /mnt/dir3 sync -f /mnt # Do some change to the directory and fsync it. chmod 700 /mnt/dir1 xfs_io -c fsync /mnt/dir1 # Move dir2 out of dir1 so that dir1 becomes empty. mv /mnt/dir1/dir2 /mnt/dir3/ open fd on /mnt/dir1 call rmdir(2) on path "/mnt/dir1" fsync fd <trigger power failure> When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following: [445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650 [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm [445771.627912] BTRFS info (device dm-0): start tree-log replay [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5 [445771.629453] memcg:ffff89f400351b00 [445771.629892] aops:btree_aops [btrfs] ino:1 [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8 [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00 [445771.635029] page dumped because: eb page dump [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5 [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087 [445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [445771.638097] inode generation 3 transid 9 size 16 nbytes 16384 [445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0 [445771.638100] rdev 0 sequence 2 flags 0x0 [445771.638102] atime 1775744884.0 [445771.660056] ctime 1775744885.645502983 [445771.660058] mtime 1775744885.645502983 [445771.660060] otime 1775744884.0 [445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [445771.660064] index 0 name_len 2 [445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34 [445771.660068] location key (259 1 0) type 2 [445771.660070] transid 9 data_len 0 name_len 4 [445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34 [445771.660076] location key (257 1 0) type 2 [445771.660077] transid 9 data_len 0 name_len 4 [445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [445771.660079] location key (257 1 0) type 2 [445771.660080] transid 9 data_len 0 name_len 4 [445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34 [445771.660082] location key (259 1 0) type 2 [445771.660083] transid 9 data_len 0 name_len 4 [445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160 [445771.660086] inode generation 9 transid 9 size 8 nbytes 0 [445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0 [445771.660088] rdev 0 sequence 2 flags 0x0 [445771.660089] atime 1775744885.641174097 [445771.660090] ctime 1775744885.645502983 [445771.660091] mtime 1775744885.645502983 [445771.660105] otime 1775744885.641174097 [445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14 [445771.660107] index 2 name_len 4 [445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34 [445771.660109] location key (2 ---truncated---

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the Btrfs filesystem implementation where the last_unlink_trans field is not updated when a directory is removed via rmdir(2). During log replay after an unclean shutdown, this missing update causes the transaction log to reference an inode with an incorrect link count, leading to a critical corruption error ("invalid nlink: has 2 expect no more than 1 for dir") that prevents filesystem mount. The issue manifests only when an open file descriptor exists on the directory at the time of removal, and an fsync is called on that descriptor before the crash occurs.

Business impact

Systems using Btrfs may experience unexpected filesystem corruption and mount failures after power loss or unclean shutdown, resulting in service unavailability and potential data loss. This is particularly relevant for virtualized environments, containers, and dedicated servers relying on Btrfs for storage. Recovery requires manual filesystem repair or restoration from backups, extending recovery time objectives and increasing operational overhead.

Affected systems

Linux systems running the kernel with Btrfs filesystem support are affected. The vulnerability requires a user with local access (not root in many cases) and an active file descriptor on the directory being removed. Btrfs is commonly used in container platforms, virtual machine hosts, and systems prioritizing storage efficiency. The scope is local only; remote exploitation is not possible.

Exploitability

The issue requires local user access and a specific sequence of filesystem operations to trigger. The attack surface is limited: an unprivileged user must open a directory, remove it via rmdir, then fsync the open descriptor before the system crashes or loses power. This could occur accidentally during normal operations or be intentionally triggered by a malicious local user to disrupt service availability. The CVSS score of 5.5 reflects the local-only attack vector and availability impact without confidentiality or integrity exposure.

Remediation

Apply the Linux kernel patch that ensures last_unlink_trans is correctly updated during directory removal. Verify the patch is included in your kernel build and test in a non-production environment first, particularly if you rely heavily on Btrfs. For systems unable to patch immediately, consider using alternative filesystems (ext4, XFS) if feasible, or implement strict access controls to prevent unprivileged users from performing directory removal operations on directories they hold open.

Patch guidance

Check your Linux distribution's kernel update advisories for a patched version addressing CVE-2026-46160. The fix involves modifying the directory removal code path to update the last_unlink_trans field before the inode is deleted. Test the patched kernel in a staging environment that replicates your Btrfs configuration and workload before production deployment. Coordinate the update with your change management process, as kernel updates typically require a reboot.

Detection guidance

Monitor system logs for Btrfs corruption errors during mount or recovery, specifically messages containing "corrupt leaf" or "invalid nlink" errors referencing directories. If such errors occur consistently after unplanned shutdowns, investigate whether the corrupted directories were recently removed and whether processes held open file descriptors. For proactive detection, audit which users and applications open and remove directories frequently, and consider restricting these operations where possible. Collect kernel version and Btrfs-related dmesg output during incidents for forensic analysis.

Why prioritize this

Although the CVSS score is moderate (5.5), the vulnerability should be prioritized because it directly impacts data availability and system recoverability. Unlike many local vulnerabilities, this one affects core filesystem integrity rather than privilege escalation alone. Organizations running Btrfs in production environments should schedule patching within standard security update cycles. The impact is heightened for systems with infrequent reboots or those running in environments where unplanned power loss is plausible (virtualized hosts, edge computing, IoT infrastructure).

Risk score, explained

The CVSS v3.1 score of 5.5 (MEDIUM) reflects an attack vector limited to local access (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), and no user interaction needed (UI:N). The impact is confined to availability (A:H), with no confidentiality or integrity risk. However, the real-world risk may be elevated in environments where Btrfs is mission-critical or where unplanned shutdowns are common, warranting consideration beyond the numerical score.

Frequently asked questions

Does this vulnerability require root access to exploit?

No. The vulnerability can be triggered by any local user with permission to create and remove directories and open file descriptors. This makes it a concern for multi-user systems and shared hosting environments where unprivileged users have filesystem access.

What happens if my system crashes after a directory is removed and fsynced?

When the filesystem attempts to recover the transaction log during the next mount, it will detect a corruption inconsistency (invalid link count) and fail to mount. The filesystem becomes inaccessible until repaired or rolled back from a backup. This is why the vulnerability impacts availability even though it is triggered by a local user.

Are all Linux filesystems affected, or just Btrfs?

Only Btrfs is affected. Other common Linux filesystems like ext4 and XFS do not have this specific vulnerability. If you are not using Btrfs, you are not impacted by CVE-2026-46160.

Can I work around this without updating the kernel?

Potential mitigations include switching to a different filesystem if possible, restricting directory removal and fsync operations to trusted users, or ensuring clean shutdowns with no power loss scenarios. However, a kernel patch is the only proper fix.

This analysis is based on the official CVE record and Linux kernel advisory data as of the publication date. Patch availability and version numbers should be verified against your Linux distribution's security advisories and kernel release notes. Testing patches in non-production environments is strongly recommended before deployment. Organizations should conduct their own risk assessment based on their specific Btrfs usage, system architecture, and threat model. SEC.co does not guarantee that all variants or downstream impacts of this vulnerability have been disclosed. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities