Skip to main content

Linux Kernel btrfs CVE-2026-46160

| EUVDEUVD-2026-32787 MEDIUM
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xvrh-2655-9jjv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 21:08 vuln.today
CVSS changed
Jun 09, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix missing last_unlink_trans update when removing a directory

When removing a directory we are not updating its last_unlink_trans field, which can result in incorrect fsync behaviour in case some one fsyncs the directory after it was removed because it's holding a file descriptor on it.

Example scenario:

mkdir /mnt/dir1 mkdir /mnt/dir1/dir2 mkdir /mnt/dir3

sync -f /mnt

Do some change to the directory and fsync it.

chmod 700 /mnt/dir1 xfs_io -c fsync /mnt/dir1

Move dir2 out of dir1 so that dir1 becomes empty.

mv /mnt/dir1/dir2 /mnt/dir3/

open fd on /mnt/dir1 call rmdir(2) on path "/mnt/dir1" fsync fd

<trigger power failure>

When attempting to mount the filesystem, the log replay will fail with an -EIO error and dmesg/syslog has the following:

[445771.626482] BTRFS info (device dm-0): first mount of filesystem 0368bbea-6c5e-44b5-b409-09abe496e650 [445771.626486] BTRFS info (device dm-0): using crc32c checksum algorithm [445771.627912] BTRFS info (device dm-0): start tree-log replay [445771.628335] page: refcount:2 mapcount:0 mapping:0000000061443ddc index:0x1d00 pfn:0x7072a5 [445771.629453] memcg:ffff89f400351b00 [445771.629892] aops:btree_aops [btrfs] ino:1 [445771.630737] flags: 0x17fffc00000402a(uptodate|lru|private|writeback|node=0|zone=2|lastcpupid=0x1ffff) [445771.632359] raw: 017fffc00000402a fffff47284d950c8 fffff472907b7c08 ffff89f458e412b8 [445771.633713] raw: 0000000000001d00 ffff89f6c51d1a90 00000002ffffffff ffff89f400351b00 [445771.635029] page dumped because: eb page dump [445771.635825] BTRFS critical (device dm-0): corrupt leaf: root=5 block=30408704 slot=10 ino=258, invalid nlink: has 2 expect no more than 1 for dir [445771.638088] BTRFS info (device dm-0): leaf 30408704 gen 10 total ptrs 17 free space 14878 owner 5 [445771.638091] BTRFS info (device dm-0): refs 4 lock_owner 0 current 3581087 [445771.638094] item 0 key (256 INODE_ITEM 0) itemoff 16123 itemsize 160 [445771.638097] inode generation 3 transid 9 size 16 nbytes 16384 [445771.638098] block group 0 mode 40755 links 1 uid 0 gid 0 [445771.638100] rdev 0 sequence 2 flags 0x0 [445771.638102] atime 1775744884.0 [445771.660056] ctime 1775744885.645502983 [445771.660058] mtime 1775744885.645502983 [445771.660060] otime 1775744884.0 [445771.660062] item 1 key (256 INODE_REF 256) itemoff 16111 itemsize 12 [445771.660064] index 0 name_len 2 [445771.660066] item 2 key (256 DIR_ITEM 1843588421) itemoff 16077 itemsize 34 [445771.660068] location key (259 1 0) type 2 [445771.660070] transid 9 data_len 0 name_len 4 [445771.660075] item 3 key (256 DIR_ITEM 2363071922) itemoff 16043 itemsize 34 [445771.660076] location key (257 1 0) type 2 [445771.660077] transid 9 data_len 0 name_len 4 [445771.660078] item 4 key (256 DIR_INDEX 2) itemoff 16009 itemsize 34 [445771.660079] location key (257 1 0) type 2 [445771.660080] transid 9 data_len 0 name_len 4 [445771.660081] item 5 key (256 DIR_INDEX 3) itemoff 15975 itemsize 34 [445771.660082] location key (259 1 0) type 2 [445771.660083] transid 9 data_len 0 name_len 4 [445771.660084] item 6 key (257 INODE_ITEM 0) itemoff 15815 itemsize 160 [445771.660086] inode generation 9 transid 9 size 8 nbytes 0 [445771.660087] block group 0 mode 40777 links 1 uid 0 gid 0 [445771.660088] rdev 0 sequence 2 flags 0x0 [445771.660089] atime 1775744885.641174097 [445771.660090] ctime 1775744885.645502983 [445771.660091] mtime 1775744885.645502983 [445771.660105] otime 1775744885.641174097 [445771.660106] item 7 key (257 INODE_REF 256) itemoff 15801 itemsize 14 [445771.660107] index 2 name_len 4 [445771.660108] item 8 key (257 DIR_ITEM 2676584006) itemoff 15767 itemsize 34 [445771.660109] location key (2 ---truncated---

AnalysisAI

Filesystem availability loss in the Linux kernel's btrfs subsystem can render a mounted volume unrecoverable after a power failure under specific directory removal conditions. The btrfs directory removal path fails to update the inode's last_unlink_trans field, causing a stale transaction ID to persist. When a process holds an open file descriptor to the removed directory and subsequently calls fsync, the incomplete journal entry survives to disk; upon next mount, log replay fails with -EIO and a 'corrupt leaf: invalid nlink' critical error, leaving the filesystem unmountable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (5th percentile) reflects negligible opportunistic exploitation interest, consistent with a logic-flaw data-integrity bug rather than a memory-corruption primitive.

Technical ContextAI

The affected component is the btrfs (B-Tree Filesystem) journal/log replay subsystem within the Linux kernel, identified by CPE cpe:2.3:o:linux:linux_kernel. The root cause is a missing write to the last_unlink_trans field in the btrfs inode structure during directory removal via rmdir(2). In btrfs, last_unlink_trans tracks the most recent transaction in which a directory lost a child, enabling fsync to decide whether to log the parent inode's full metadata state. When this field is not updated, a subsequent fsync on the directory (possible while a file descriptor remains open after rmdir) writes an incomplete or inconsistent log tree entry. The log replay engine then encounters an inode with an nlink count that violates btrfs invariants (directory with nlink > 1), triggering a critical validation failure and aborting the mount. CWE is listed as N/A by NVD; the root cause most closely maps to incorrect state management / missing state update (analogous to CWE-664: Improper Control of a Resource Through its Lifetime). The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H accurately reflects a local, low-complexity availability-only impact with no confidentiality or integrity exposure.

RemediationAI

The primary fix is to upgrade the Linux kernel to a patched stable release: 6.6.141 or later for the 6.6 LTS branch, 6.12.91 or later for the 6.12 LTS branch, 6.18.30 or later for the 6.18 branch, 7.0.7 or later for the 7.0 branch, or 7.1-rc2 or later for mainline development. Upstream fix commits are confirmed at git.kernel.org/stable/c/36fcc2c7517f8a86379154c9793f867592aa8b7e and four related commits. For systems where a kernel upgrade is not immediately feasible, the risk can be partially mitigated by avoiding btrfs as the filesystem for workloads that hold open file descriptors to directories that may be removed (e.g., certain container runtimes, backup daemons, or file-manager applications); migrating these workloads to ext4 or XFS eliminates the exposure entirely. An alternative compensating control is to disable btrfs journal/log replay by mounting with the 'nologreplay' mount option - note this trades the replay-failure risk for reduced crash consistency and may result in data loss on unclean shutdown, so it should only be considered as a temporary measure. No vendor advisory URL beyond the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2026-46160) and upstream kernel commits was identified in the provided references.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy