CVE-2026-46251EPSS p3.1%
CVE-2026-46251CVE-2026-46251
linux / linux_kernel
Description
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix block_group_tree dirty_list corruption
When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the
block group tree to the switch_commits list before calling
switch_commit_roots, as we do for the tree root and the chunk root.
However, the block group tree uses normal root dirty tracking and in any
transaction that does an allocation and dirties a block group, the block
group root will already be linked to a list by the dirty_list field and
this use of list_add_tail() is invalid and corrupts the prev/next
members of block_group_root->dirty_list.
This is apparent on a subsequent list_del on the prev if we enable
CONFIG_DEBUG_LIST:
[32.1571] ------------[ cut here ]------------
[32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538)
[32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607
[32.1583] CPU: 3 UID: 0 PID: 6
Scoring
| CVSS | 8.4 () |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.13% probability of exploitation · percentile 3.1% · 2026-06-18T12:00:27Z |
| Last modified | 2026-06-09 |
Related by meaning· 6
Nearest entities by semantic similarity across the cs-graph corpus.