Skip to main content

Linux Kernel EUVDEUVD-2026-32258

| CVE-2026-45974 MEDIUM
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9f93-r4x7-fg5m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only trigger via btrfs quota enable ioctl requiring low privilege; impact is strictly a kernel crash with no confidentiality or integrity consequence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 02:54 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found

If btrfs_search_slot_for_read() returns 1, it means we did not find any key greater than or equals to the key we asked for, meaning we have reached the end of the tree and therefore the path is not valid. If this happens we need to break out of the loop and stop, instead of continuing and accessing an invalid path.

AnalysisAI

Invalid leaf access in the btrfs quota subsystem of the Linux kernel allows a local low-privileged user to crash the system by triggering a denial-of-service condition in btrfs_quota_enable(). When btrfs_search_slot_for_read() returns 1 - signaling end-of-tree with no valid key found - the function fails to exit its loop and proceeds to dereference the now-invalid path pointer, causing a kernel panic. Patched versions are confirmed across multiple stable series (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0); no public exploit or CISA KEV listing exists at time of analysis.

Technical ContextAI

The affected code resides in the btrfs (B-Tree Filesystem) subsystem, specifically in btrfs_quota_enable(), which manages quota group activation for btrfs volumes. The function invokes btrfs_search_slot_for_read() to locate a reference key in the internal quota tree; a return value of 1 from this function is a documented signal that the search reached the end of the tree without finding a matching or greater key, leaving the path in an invalid state. The bug is a missing conditional break: the loop does not exit on ret==1 and instead attempts to read from the invalid path object, triggering an out-of-bounds or null-pointer dereference on a tree leaf structure. This is functionally equivalent to CWE-754 (Improper Check for Unusual or Exceptional Conditions) applied to a kernel B-tree traversal. CPE data confirms the affected product as cpe:2.3:o:linux:linux_kernel:* across multiple stable branches, with specific 5.10 and 5.10:rc2 entries also named.

RemediationAI

The primary fix is to upgrade to a patched Linux kernel: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0, which all incorporate the upstream correction that adds the missing break condition on ret==1 in btrfs_quota_enable(). Relevant upstream stable commits are available at https://git.kernel.org/stable/c/023545e272f369d487e6a986c1e321c6e04be1da, https://git.kernel.org/stable/c/b2bd557b75b760e4b9d209112bda19314bd64558, and six additional sibling commits covering different stable series. As a compensating control where immediate kernel update is not feasible, administrators should avoid enabling btrfs quota groups (btrfs quota enable <mountpoint>) on affected systems; this eliminates the vulnerable code path entirely since btrfs_quota_enable() is only invoked when quota management is explicitly activated. The trade-off is loss of btrfs quota accounting functionality. Systems not using btrfs as a filesystem are not affected and require no action.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

EUVD-2026-32258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy