CVE-2026-46251: Linux Btrfs EXTENT_TREE_V2 Dirty List Corruption – Local DoS Risk
A vulnerability in the Linux kernel's Btrfs filesystem corrupts internal list structures when certain filesystem features are enabled. When the EXTENT_TREE_V2 compatibility flag is set, the kernel incorrectly manages the block group tree's tracking list during transaction commits. This causes the list's internal pointers to become invalid, leading to filesystem panics, transaction failures, and potential data loss. The issue manifests when the filesystem performs allocation operations on machines where this feature flag is active.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.4 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block_group_tree dirty_list corruption When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the block group tree to the switch_commits list before calling switch_commit_roots, as we do for the tree root and the chunk root. However, the block group tree uses normal root dirty tracking and in any transaction that does an allocation and dirties a block group, the block group root will already be linked to a list by the dirty_list field and this use of list_add_tail() is invalid and corrupts the prev/next members of block_group_root->dirty_list. This is apparent on a subsequent list_del on the prev if we enable CONFIG_DEBUG_LIST: [32.1571] ------------[ cut here ]------------ [32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538) [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607 [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none) [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014 [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120 [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202 [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538 [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00 [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538 [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538 [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000 [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0 [32.1609] Call Trace: [32.1610] <TASK> [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs] [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs] [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs] [32.1621] __iterate_supers+0xe8/0x190 [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10 [32.1623] ksys_sync+0x63/0xb0 [32.1624] __do_sys_sync+0xe/0x20 [32.1625] do_syscall_64+0x73/0x450 [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e [32.1627] RIP: 0033:0x7f0c28d05d2b [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2 [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000 [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80 [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034 [32.1643] </TASK> [32.1644] irq event stamp: 0 [32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0 [32.1652] ---[ end trace 0000000000000000 ]--- Furthermore, this list corruption eventually (when we happen to add a new block group) results in getting the switch_commits and dirty_cowonly_roots lists mixed up and attempting to call update_root on the tree root which can't be found in the tree root, resulting in a transaction abort: [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1 [87.8272] ------------[ cut here ]------------ [87.8274] BTRFS: Transaction aborted (error -117) [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703 [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none) [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0 ---truncated---
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the Btrfs transaction commit path when EXTENT_TREE_V2 is set. The kernel unconditionally adds the block_group_tree to switch_commits before calling switch_commit_roots, but the block_group_tree uses normal root dirty tracking. When a transaction performs an allocation that dirties the block group, the block_group_root is already linked via its dirty_list field. The subsequent list_add_tail() call corrupts the prev/next pointers. This manifests as list_del corruption warnings when CONFIG_DEBUG_LIST is enabled, and eventually leads to mixed switch_commits and dirty_cowonly_roots lists, causing the kernel to attempt invalid tree lookups and abort transactions with ENOENT errors.
Business impact
Systems running Btrfs with EXTENT_TREE_V2 enabled face filesystem instability and potential data loss. Active workloads experience transaction aborts during sync operations, making the filesystem unreliable for production use. Services dependent on affected storage become unavailable. On systems where Btrfs hosts container storage or virtual machine images, cascading failures can take down infrastructure dependent on that storage layer.
Affected systems
Linux systems running kernel versions with EXTENT_TREE_V2 Btrfs support when that feature is enabled on filesystems. This primarily affects newer kernel releases (6.18 and related development branches) where EXTENT_TREE_V2 is available and actively used. Systems with older kernels are unaffected unless they have backported this feature.
Exploitability
This vulnerability requires local access and cannot be triggered remotely. An unprivileged user cannot directly exploit it; the condition manifests during normal filesystem operations (allocation and sync) on systems with EXTENT_TREE_V2 enabled. No user interaction or special privileges are needed once the condition is met—the bug triggers automatically during typical filesystem workloads. The attack vector is local with low complexity.
Remediation
Apply kernel patches that fix the block_group_tree dirty_list handling. The fix involves preventing the unconditional list_add_tail() operation on the block_group_tree when it is already tracked in the dirty_list. Verify against the vendor advisory for specific patch versions and backport availability for your kernel series. Systems should prioritize patching if EXTENT_TREE_V2 is enabled on production Btrfs filesystems.
Patch guidance
Monitor Linux kernel security advisories and your distribution's errata for patched kernel versions. When patches are available, test in a non-production environment with EXTENT_TREE_V2-enabled Btrfs volumes under load to verify stability. Coordinate kernel updates with your change management process. For enterprise distributions (RHEL, SLES, Ubuntu, etc.), check their security channels for backported fixes even if running older kernel versions. Verify patch application with `uname -r` post-reboot.
Detection guidance
Enable CONFIG_DEBUG_LIST in your kernel if running affected versions to surface list corruption warnings early. Monitor system logs for messages like 'list_del corruption' and 'BTRFS critical unable to find root key'. Check dmesg for transaction abort errors (BTRFS: Transaction aborted) correlated with sync operations. If running EXTENT_TREE_V2 Btrfs filesystems, watch for unexpected filesystem hangs or I/O errors during normal workloads. Use `btrfs filesystem show` to identify which filesystems have EXTENT_TREE_V2 enabled.
Why prioritize this
This receives high priority due to the HIGH CVSS score (8.4) reflecting local root-level impact, combined with the practical severity of filesystem corruption and data loss risk. Although it requires local access, any unprivileged user triggering normal filesystem operations can cause the crash. Production infrastructure relying on Btrfs with this feature enabled faces immediate stability threats. The window between vulnerability and patch is critical for operational risk.
Risk score, explained
CVSS 3.1 8.4 (HIGH) reflects: Attack Vector Local (filesystem-based), Access Complexity Low (no special conditions beyond feature enablement), Privileges None (unprivileged user can trigger), User Interaction None, with high impact on Confidentiality, Integrity, and Availability. The filesystem can leak data during corruption, inconsistent state compromises integrity, and transaction aborts remove availability. The scope is unchanged as it affects the local system only.
Frequently asked questions
Does this affect all Btrfs filesystems or only those with specific settings?
Only Btrfs filesystems with the EXTENT_TREE_V2 compatibility flag enabled are affected. This is a newer feature; many existing Btrfs deployments do not have it enabled. Check with `btrfs filesystem show` or inspect filesystem metadata to confirm if your volumes use this feature.
Can this be exploited remotely or does it require physical/console access?
It requires local access to the system. A remote attacker cannot trigger it directly. However, any local user (including unprivileged ones) triggering filesystem operations can cause the crash, so it is broadly exploitable on multi-user systems.
What happens if my filesystem hits this bug? Is data permanently lost?
When triggered, the kernel panics or aborts the transaction, making the filesystem temporarily unavailable. Depending on crash timing and recovery, some in-flight data may be lost, but existing data on disk is typically not corrupted beyond recovery by Btrfs repair tools. However, this is a filesystem integrity issue and should be treated seriously.
If I am not using EXTENT_TREE_V2, am I safe?
Yes. This vulnerability only affects systems where EXTENT_TREE_V2 is explicitly enabled as a Btrfs feature. If your filesystems do not have this flag set, this vulnerability does not apply to you.
This analysis is based on publicly available vulnerability data as of the publication date. Specific patch versions, affected distributions, and KEV status should be verified directly with Linux vendors and CISA. Testing should be performed in non-production environments before applying patches. SEC.co does not provide exploit code or weaponization guidance. Always consult your distribution's security advisories for authoritative patch information and timelines. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2026-10001HIGHChrome Sandbox Escape via PerformanceManager Use-After-Free
- CVE-2026-10002HIGHGoogle Chrome PDFium Use-After-Free Vulnerability (CVSS 8.8)
- CVE-2026-10003HIGHChrome Use-After-Free Code Execution Vulnerability Analysis
- CVE-2026-10006HIGHChrome WebAudio Race Condition Remote Code Execution
- CVE-2026-10007HIGHChrome Use-After-Free in SVG Arbitrary Code Execution (CVSS 8.8)
- CVE-2026-10009HIGHChrome Skia Integer Overflow Sandbox Escape – Patch Guidance
- CVE-2026-10012HIGHChrome Skia Use-After-Free Sandbox Escape (v148.0.7778.216)
- CVE-2026-10013HIGHUse-After-Free in Chrome WebCodecs – Patch Guide & Risk Assessment