Skip to main content

Linux CVE-2026-23423

| EUVDEUVD-2026-18643 MEDIUM
Memory Leak (CWE-401)
2026-04-03 Linux GHSA-rc42-xqq7-h58r
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:11 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
3f501412f2079ca14bf68a18d80a2b7a823f1f64,628895890b0c9ac9129129e89455da7db95ba343
EUVD ID Assigned
Apr 03, 2026 - 13:45 euvd
EUVD-2026-18643
Analysis Generated
Apr 03, 2026 - 13:45 vuln.today
CVE Published
Apr 03, 2026 - 13:24 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: free pages on error in btrfs_uring_read_extent()

In this function the 'pages' object is never freed in the hopes that it is picked up by btrfs_uring_read_finished() whenever that executes in the future. But that's just the happy path. Along the way previous allocations might have gone wrong, or we might not get -EIOCBQUEUED from btrfs_encoded_read_regular_fill_pages(). In all these cases, we go to a cleanup section that frees all memory allocated by this function without assuming any deferred execution, and this also needs to happen for the 'pages' allocation.

AnalysisAI

Linux kernel btrfs subsystem fails to free allocated pages in btrfs_uring_read_extent() when error conditions occur before asynchronous I/O completion, leading to memory leaks. The vulnerability affects all Linux kernel versions with the vulnerable btrfs implementation; while tagged as Information Disclosure, the primary impact is denial of service through memory exhaustion rather than data exposure. No public exploit code or active exploitation has been identified; this is a defensive fix addressing a code path that may never execute under normal conditions but represents a resource management defect.

Technical ContextAI

The btrfs (B-tree file system) kernel subsystem implements asynchronous I/O operations via io_uring, a high-performance I/O interface in Linux. The btrfs_uring_read_extent() function allocates a 'pages' object intended to be freed by a deferred callback (btrfs_uring_read_finished()) in the normal completion path. However, when error conditions occur-such as allocation failures in intermediate steps or when btrfs_encoded_read_regular_fill_pages() does not return -EIOCBQUEUED (indicating the operation was queued)-the function branches to error cleanup code that does not account for the 'pages' allocation. This is a classic resource leak pattern where deferred cleanup assumptions break down in exception paths. The root cause is incomplete error handling in asynchronous I/O orchestration, representing a memory management defect in the storage subsystem.

RemediationAI

Update the Linux kernel to a version containing the fix commits referenced in the kernel.org stable tree (d4f210de01eaccac61eee657f676045ef9771d07, 628895890b0c9ac9129129e89455da7db95ba343, or 3f501412f2079ca14bf68a18d80a2b7a823f1f64). Consult your distribution's security advisory for the corresponding kernel package version (e.g., via 'uname -r' and then cross-reference with your vendor's CVE tracking page). If immediate patching is not feasible, avoid use of io_uring-based reads on btrfs filesystems as a temporary mitigation, though this is impractical for production systems. The fix is a straightforward addition of page deallocation in the error path with no functional side effects, making rapid deployment safe and recommended.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23423 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy