What is the CVSS score of CVE-2026-46251?

CVE-2026-46251 has a CVSS 3.1 base score of 8.4 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Linux Kernel are affected by CVE-2026-46251?

A Linux kernel vulnerability in btrfs storage systems (CVE-2026-46251, CVSS 8.4) allows local users with filesystem write access to corrupt storage infrastructure and cause service disruptions…. A patch is available.

How to fix or mitigate CVE-2026-46251?

Within 24 hours: Identify and catalog all Linux systems using btrfs filesystem with EXTENT_TREE_V2 enabled. Within 7 days: Apply patch available per vendor advisory to all affected systems per your change management process. Within 30 days: Validate patch deployment and perform filesystem integrity checks on remediated systems.

Linux Kernel CVE-2026-46251

EUVD-2026-34113 HIGH

2026-06-03 Linux

GHSA-c5jw-wr2h-vpj4

Information Disclosure Linux

8.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 05, 2026 - 07:25 vuln.today

CVSS changed

Jun 05, 2026 - 07:22 NVD

8.4 (HIGH)

Patch available

Jun 03, 2026 - 19:01 EUVD

CVE Published

Jun 03, 2026 - 15:49 nvd

UNKNOWN (no severity yet)

CVE Published

Jun 03, 2026 - 15:49 nvd

HIGH 8.4

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix block_group_tree dirty_list corruption

When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the block group tree to the switch_commits list before calling switch_commit_roots, as we do for the tree root and the chunk root. However, the block group tree uses normal root dirty tracking and in any transaction that does an allocation and dirties a block group, the block group root will already be linked to a list by the dirty_list field and this use of list_add_tail() is invalid and corrupts the prev/next members of block_group_root->dirty_list.

This is apparent on a subsequent list_del on the prev if we enable CONFIG_DEBUG_LIST:

[32.1571] ------------[ cut here ]------------ [32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538) [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607 [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none) [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014 [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120 [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202 [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538 [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00 [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538 [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538 [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000 [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0 [32.1609] Call Trace: [32.1610] <TASK> [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs] [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs] [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs] [32.1621] __iterate_supers+0xe8/0x190 [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10 [32.1623] ksys_sync+0x63/0xb0 [32.1624] __do_sys_sync+0xe/0x20 [32.1625] do_syscall_64+0x73/0x450 [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e [32.1627] RIP: 0033:0x7f0c28d05d2b [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2 [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000 [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80 [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034 [32.1643] </TASK> [32.1644] irq event stamp: 0 [32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0 [32.1652] ---[ end trace 0000000000000000 ]---

Furthermore, this list corruption eventually (when we happen to add a new block group) results in getting the switch_commits and dirty_cowonly_roots lists mixed up and attempting to call update_root on the tree root which can't be found in the tree root, resulting in a transaction abort:

[87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1 [87.8272] ------------[ cut here ]------------ [87.8274] BTRFS: Transaction aborted (error -117) [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703 [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none) [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0 ---truncated---

AnalysisAI

Linked-list corruption in the Linux kernel's btrfs filesystem allows a local user with btrfs write access to trigger memory corruption and a transaction abort when EXTENT_TREE_V2 incompat flag is enabled. The flaw stems from the block group tree being added twice to the switch_commits list, corrupting prev/next pointers and ultimately leading to filesystem inconsistency. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Local shell access on target

Delivery

Mount btrfs with EXTENT_TREE_V2 flag

Exploit

Allocate and dirty block group

Execution

Trigger sync/transaction commit

Persist

Corrupt switch_commits list pointers

Impact

Transaction abort and filesystem inconsistency

Access

Local shell access on target

Delivery

Mount btrfs with EXTENT_TREE_V2 flag

Exploit

Allocate and dirty block group

Execution

Trigger sync/transaction commit

Persist

Corrupt switch_commits list pointers

Impact

Transaction abort and filesystem inconsistency

Vulnerability AssessmentAI

Exploitation	Requires (1) a btrfs filesystem mounted with the EXTENT_TREE_V2 incompat feature flag enabled - this is an experimental, non-default option in mainline kernels; (2) local access to the system with the ability to write to or trigger sync on the affected btrfs mount; (3) a transaction sequence that allocates and dirties a block group followed by switch_commit_roots execution. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H rates this 8.4 - local attack vector, low complexity, no privileges, no user interaction, with high impact across all three triads. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A local user with the ability to write to or sync a btrfs filesystem that was formatted with the EXTENT_TREE_V2 incompat flag triggers normal block group allocation activity followed by a sync, which causes the doubly-linked block group root to corrupt the switch_commits list during transaction commit. The result is filesystem transaction abort and potential on-disk inconsistency or denial of service for the mounted volume. …
Remediation	Vendor-released patch: upgrade to Linux kernel 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0, or later as appropriate for your stable series, available via the upstream commits at https://git.kernel.org/stable/c/6e10283b5519d987d880d71bec90cdc7f2ec62b3 and the related fix commits listed in the EUVD advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and catalog all Linux systems using btrfs filesystem with EXTENT_TREE_V2 enabled. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-46244 CRITICAL Act Now

9.1 Jun 03

Firewall bypass in the Linux kernel's netfilter nft_inner module (versions 6.2 and later) allows remote attackers to for

CVE-2026-46266 CRITICAL Act Now

9.1 Jun 03

Remote manipulation of the Linux kernel's IPv4 routing cache is possible through RAW sockets bound to IPPROTO_RAW (proto

CVE-2026-46264 HIGH This Week

8.8 Jun 03

Local privilege escalation potential exists in the Linux kernel's Intel Xe DRM driver (drm/xe/pf) due to a sysfs initial

CVE-2026-46273 HIGH This Week

8.6 Jun 03

Remote denial of service in the Linux kernel ibmveth driver on IBM Power systems allows attackers to freeze physical net

CVE-2026-46270 HIGH This Week

8.4 Jun 03

Use-after-free in the Linux kernel's rt9455 power supply driver allows local attackers to trigger memory corruption or s

CVE-2026-46251 vulnerability details – vuln.today

Back

Linux Kernel CVE-2026-46251

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code