Skip to main content

Linux Kernel EUVDEUVD-2026-28664

| CVE-2026-43358 MEDIUM
2026-05-08 Linux GHSA-hgfh-gxxh-hw2v
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 16:08 vuln.today
CVSS changed
May 15, 2026 - 16:07 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

btrfs: add missing RCU unlock in error path in try_release_subpage_extent_buffer()

Call rcu_read_lock() before exiting the loop in try_release_subpage_extent_buffer() because there is a rcu_read_unlock() call past the loop.

This has been detected by the Clang thread-safety analyzer.

AnalysisAI

RCU locking imbalance in Linux kernel btrfs filesystem code causes local denial of service. The try_release_subpage_extent_buffer() function in btrfs can exit an error path without properly releasing an RCU read lock, creating a locking inconsistency that leads to system instability. Affects Linux kernel versions 6.17 through pre-7.0, with patches available in stable branches 6.18.19, 6.19.9, and mainline 7.0. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity. The flaw was detected through static analysis using Clang's thread-safety analyzer rather than field exploitation, suggesting lower immediate real-world risk despite the high-availability CVSS impact rating.

Technical ContextAI

The vulnerability resides in the btrfs (B-tree filesystem) subpage extent buffer management code, specifically in try_release_subpage_extent_buffer(). RCU (Read-Copy-Update) is a Linux kernel synchronization mechanism that allows lock-free reads during concurrent updates by deferring destructive operations until all readers complete their critical sections. The bug manifests as a missing rcu_read_unlock() call in an error path that prematurely exits a loop-the function enters an RCU read-side critical section with rcu_read_lock() but fails to balance it with the corresponding unlock before returning on error. This creates a locking imbalance where the RCU subsystem believes a reader is still active, potentially blocking synchronize_rcu() indefinitely and preventing memory reclamation. The issue affects btrfs subpage support code introduced in commit ad580dfa388f, which enables btrfs to handle page sizes larger than the filesystem block size. Static analysis tools like Clang's thread-safety analyzer can detect such path-coverage issues that traditional testing might miss.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.19 or later in the 6.18.x stable series, 6.19.9 or later in 6.19.x, or mainline kernel 7.0+. Patches are available from kernel.org stable git repositories at the referenced commit URLs (5e1ab71f74a1, b2840e33127c, 35b0c8768e84). For systems unable to immediately upgrade, disable btrfs subpage support if not required-this can be achieved by mounting btrfs filesystems with traditional page-size blocks rather than subpage configurations, though this may reduce functionality on systems with large page sizes (e.g., ARM64 with 64KB pages). Note that disabling subpage support may prevent mounting existing filesystems formatted with subpage features; test thoroughly before production deployment. As a detection control, monitor kernel logs for RCU stall warnings or hung task messages related to btrfs operations, though these symptoms may only appear under specific memory pressure or concurrent access patterns. No compensating network-level controls apply since this is a local kernel issue. The fix is a simple one-line addition to ensure proper lock release, making it low-risk to apply during standard maintenance windows.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28664 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy