CVE-2026-23249

{"id": "CVE-2026-23249", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-03-18T18:16:22.787", "references": [{"url": "https://git.kernel.org/stable/c/55e03b8cbe2783ec9acfb88e8adb946ed504e117", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5991e96f2ae82df60a3e4ed00f3432d9f3502a99", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b04baa848c0543b240b1bd8aecff470382f6f154", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d69de525bc7ab27713342080bf50826df3f6a68f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: check for deleted cursors when revalidating two btrees\n\nThe free space and inode btree repair functions will rebuild both btrees\nat the same time, after which it needs to evaluate both btrees to\nconfirm that the corruptions are gone.\n\nHowever, Jiaming Zhang ran syzbot and produced a crash in the second\nxchk_allocbt call. His root-cause analysis is as follows (with minor\ncorrections):\n\n In xrep_revalidate_allocbt(), xchk_allocbt() is called twice (first\n for BNOBT, second for CNTBT). The cause of this issue is that the\n first call nullified the cursor required by the second call.\n\n Let's first enter xrep_revalidate_allocbt() via following call chain:\n\n xfs_file_ioctl() ->\n xfs_ioc_scrubv_metadata() ->\n xfs_scrub_metadata() ->\n `sc->ops->repair_eval(sc)` ->\n xrep_revalidate_allocbt()\n\n xchk_allocbt() is called twice in this function. In the first call:\n\n /* Note that sc->sm->sm_type is XFS_SCRUB_TYPE_BNOPT now */\n xchk_allocbt() ->\n xchk_btree() ->\n `bs->scrub_rec(bs, recp)` ->\n xchk_allocbt_rec() ->\n xchk_allocbt_xref() ->\n xchk_allocbt_xref_other()\n\n since sm_type is XFS_SCRUB_TYPE_BNOBT, pur is set to &sc->sa.cnt_cur.\n Kernel called xfs_alloc_get_rec() and returned -EFSCORRUPTED. Call\n chain:\n\n xfs_alloc_get_rec() ->\n xfs_btree_get_rec() ->\n xfs_btree_check_block() ->\n (XFS_IS_CORRUPT || XFS_TEST_ERROR), the former is false and the latter\n is true, return -EFSCORRUPTED. This should be caused by\n ioctl$XFS_IOC_ERROR_INJECTION I guess.\n\n Back to xchk_allocbt_xref_other(), after receiving -EFSCORRUPTED from\n xfs_alloc_get_rec(), kernel called xchk_should_check_xref(). In this\n function, *curpp (points to sc->sa.cnt_cur) is nullified.\n\n Back to xrep_revalidate_allocbt(), since sc->sa.cnt_cur has been\n nullified, it then triggered null-ptr-deref via xchk_allocbt() (second\n call) -> xchk_btree().\n\nSo. The bnobt revalidation failed on a cross-reference attempt, so we\ndeleted the cntbt cursor, and then crashed when we tried to revalidate\nthe cntbt. Therefore, check for a null cntbt cursor before that\nrevalidation, and mark the repair incomplete. Also we can ignore the\nsecond tree entirely if the first tree was rebuilt but is already\ncorrupt.\n\nApply the same fix to xrep_revalidate_iallocbt because it has the same\nproblem."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nxfs: verificar cursores eliminados al revalidar dos btrees\n\nLas funciones de reparaci\u00f3n de btree de espacio libre e inodo reconstruir\u00e1n ambos btrees al mismo tiempo, despu\u00e9s de lo cual necesita evaluar ambos btrees para confirmar que las corrupciones han desaparecido.\n\nSin embargo, Jiaming Zhang ejecut\u00f3 syzbot y produjo un fallo en la segunda llamada a xchk_allocbt. Su an\u00e1lisis de causa ra\u00edz es el siguiente (con correcciones menores):\n\nEn xrep_revalidate_allocbt(), se llama a xchk_allocbt() dos veces (primero para BNOBT, segundo para CNTBT). La causa de este problema es que la primera llamada anul\u00f3 el cursor requerido por la segunda llamada.\n\nPrimero entremos en xrep_revalidate_allocbt() a trav\u00e9s de la siguiente cadena de llamadas:\n\nxfs_file_ioctl() ->\nxfs_ioc_scrubv_metadata() ->\nxfs_scrub_metadata() ->\n'sc->ops->repair_eval(sc)' ->\nxrep_revalidate_allocbt()\n\nSe llama a xchk_allocbt() dos veces en esta funci\u00f3n. En la primera llamada:\n\n/* Tenga en cuenta que sc->sm->sm_type es XFS_SCRUB_TYPE_BNOPT ahora */\nxchk_allocbt() ->\nxchk_btree() ->\n'bs->scrub_rec(bs, recp)' ->\nxchk_allocbt_rec() ->\nxchk_allocbt_xref() ->\nxchk_allocbt_xref_other()\n\ndado que sm_type es XFS_SCRUB_TYPE_BNOBT, pur se establece en &sc->sa.cnt_cur. El kernel llam\u00f3 a xfs_alloc_get_rec() y devolvi\u00f3 -EFSCORRUPTED. Cadena de llamadas:\n\nxfs_alloc_get_rec() ->\nxfs_btree_get_rec() ->\nxfs_btree_check_block() ->\n(XFS_IS_CORRUPT || XFS_TEST_ERROR), el primero es falso y el segundo es verdadero, devuelve -EFSCORRUPTED. Esto deber\u00eda ser causado por ioctl$XFS_IOC_ERROR_INJECTION, supongo.\n\nVolviendo a xchk_allocbt_xref_other(), despu\u00e9s de recibir -EFSCORRUPTED de xfs_alloc_get_rec(), el kernel llam\u00f3 a xchk_should_check_xref(). En esta funci\u00f3n, *curpp (que apunta a sc->sa.cnt_cur) es anulado.\n\nVolviendo a xrep_revalidate_allocbt(), dado que sc->sa.cnt_cur ha sido anulado, entonces activ\u00f3 una desreferencia de puntero nulo a trav\u00e9s de xchk_allocbt() (segunda llamada) -> xchk_btree().\n\nAs\u00ed que. La revalidaci\u00f3n de bnobt fall\u00f3 en un intento de referencia cruzada, por lo que eliminamos el cursor cntbt, y luego fallamos cuando intentamos revalidar el cntbt. Por lo tanto, verifique si hay un cursor cntbt nulo antes de esa revalidaci\u00f3n, y marque la reparaci\u00f3n como incompleta. Tambi\u00e9n podemos ignorar el segundo \u00e1rbol por completo si el primer \u00e1rbol fue reconstruido pero ya est\u00e1 corrupto.\n\nAplique la misma correcci\u00f3n a xrep_revalidate_iallocbt porque tiene el mismo problema."}], "lastModified": "2026-05-21T18:34:07.380", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A94C3E7-EF78-4AF2-8160-DDF77E97D5EE", "versionEndExcluding": "6.12.75", "versionStartIncluding": "6.8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B", "versionEndExcluding": "6.18.16", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67", "versionEndExcluding": "6.19.6", "versionStartIncluding": "6.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}