CVE-2026-46251 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/201091da34c4f113af6b4a7407091c39bf29d4ca
https://git.kernel.org/stable/c/3a1f4264daed4b419c325a7fe35e756cada3cf82
https://git.kernel.org/stable/c/4eb830847d84276f1c8ea46541cfeeedaba1fb63
https://git.kernel.org/stable/c/6e10283b5519d987d880d71bec90cdc7f2ec62b3
https://git.kernel.org/stable/c/80e1fda9c084dcf54819a12bc7682ec0afd2d8f4
https://git.kernel.org/stable/c/e3d1fd084319f8f0830b22f014c7af6a96b4497b

Type	Values Removed	Values Added
Weaknesses		CWE-665 CWE-754

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block_group_tree dirty_list corruption When the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the block group tree to the switch_commits list before calling switch_commit_roots, as we do for the tree root and the chunk root. However, the block group tree uses normal root dirty tracking and in any transaction that does an allocation and dirties a block group, the block group root will already be linked to a list by the dirty_list field and this use of list_add_tail() is invalid and corrupts the prev/next members of block_group_root->dirty_list. This is apparent on a subsequent list_del on the prev if we enable CONFIG_DEBUG_LIST: [32.1571] ------------[ cut here ]------------ [32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538) [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607 [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none) [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014 [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120 [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202 [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538 [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00 [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538 [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538 [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000 [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0 [32.1609] Call Trace: [32.1610] <TASK> [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs] [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs] [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs] [32.1621] __iterate_supers+0xe8/0x190 [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10 [32.1623] ksys_sync+0x63/0xb0 [32.1624] __do_sys_sync+0xe/0x20 [32.1625] do_syscall_64+0x73/0x450 [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e [32.1627] RIP: 0033:0x7f0c28d05d2b [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2 [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000 [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80 [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034 [32.1643] </TASK> [32.1644] irq event stamp: 0 [32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260 [32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0 [32.1652] ---[ end trace 0000000000000000 ]--- Furthermore, this list corruption eventually (when we happen to add a new block group) results in getting the switch_commits and dirty_cowonly_roots lists mixed up and attempting to call update_root on the tree root which can't be found in the tree root, resulting in a transaction abort: [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1 [87.8272] ------------[ cut here ]------------ [87.8274] BTRFS: Transaction aborted (error -117) [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703 [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none) [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0 ---truncated---
Title		btrfs: fix block_group_tree dirty_list corruption
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/201091da34c4f113af6b4a7407091c39bf29d4ca https://git.kernel.org/stable/c/3a1f4264daed4b419c325a7fe35e756cada3cf82 https://git.kernel.org/stable/c/4eb830847d84276f1c8ea46541cfeeedaba1fb63 https://git.kernel.org/stable/c/6e10283b5519d987d880d71bec90cdc7f2ec62b3 https://git.kernel.org/stable/c/80e1fda9c084dcf54819a12bc7682ec0afd2d8f4 https://git.kernel.org/stable/c/e3d1fd084319f8f0830b22f014c7af6a96b4497b

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46251", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-13T15:03:33.107Z", "datePublished": "2026-06-03T15:49:47.684Z", "dateUpdated": "2026-06-03T15:49:47.684Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-06-03T15:49:47.684Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix block_group_tree dirty_list corruption\n\nWhen the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the\nblock group tree to the switch_commits list before calling\nswitch_commit_roots, as we do for the tree root and the chunk root.\nHowever, the block group tree uses normal root dirty tracking and in any\ntransaction that does an allocation and dirties a block group, the block\ngroup root will already be linked to a list by the dirty_list field and\nthis use of list_add_tail() is invalid and corrupts the prev/next\nmembers of block_group_root->dirty_list.\n\nThis is apparent on a subsequent list_del on the prev if we enable\nCONFIG_DEBUG_LIST:\n\n [32.1571] ------------[ cut here ]------------\n [32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538)\n [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607\n [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none)\n [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014\n [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120\n [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202\n [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538\n [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00\n [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff\n [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538\n [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538\n [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000\n [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0\n [32.1609] Call Trace:\n [32.1610] <TASK>\n [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs]\n [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs]\n [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs]\n [32.1621] __iterate_supers+0xe8/0x190\n [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10\n [32.1623] ksys_sync+0x63/0xb0\n [32.1624] __do_sys_sync+0xe/0x20\n [32.1625] do_syscall_64+0x73/0x450\n [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [32.1627] RIP: 0033:0x7f0c28d05d2b\n [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2\n [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b\n [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d\n [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000\n [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80\n [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034\n [32.1643] </TASK>\n [32.1644] irq event stamp: 0\n [32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n [32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260\n [32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260\n [32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0\n [32.1652] ---[ end trace 0000000000000000 ]---\n\nFurthermore, this list corruption eventually (when we happen to add a\nnew block group) results in getting the switch_commits and\ndirty_cowonly_roots lists mixed up and attempting to call update_root\non the tree root which can't be found in the tree root, resulting in a\ntransaction abort:\n\n [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1\n [87.8272] ------------[ cut here ]------------\n [87.8274] BTRFS: Transaction aborted (error -117)\n [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703\n [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none)\n [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/transaction.c"], "versions": [{"version": "14033b08a02916e85ffc5397e4ac15337359f3ae", "lessThan": "6e10283b5519d987d880d71bec90cdc7f2ec62b3", "status": "affected", "versionType": "git"}, {"version": "14033b08a02916e85ffc5397e4ac15337359f3ae", "lessThan": "e3d1fd084319f8f0830b22f014c7af6a96b4497b", "status": "affected", "versionType": "git"}, {"version": "14033b08a02916e85ffc5397e4ac15337359f3ae", "lessThan": "4eb830847d84276f1c8ea46541cfeeedaba1fb63", "status": "affected", "versionType": "git"}, {"version": "14033b08a02916e85ffc5397e4ac15337359f3ae", "lessThan": "80e1fda9c084dcf54819a12bc7682ec0afd2d8f4", "status": "affected", "versionType": "git"}, {"version": "14033b08a02916e85ffc5397e4ac15337359f3ae", "lessThan": "201091da34c4f113af6b4a7407091c39bf29d4ca", "status": "affected", "versionType": "git"}, {"version": "14033b08a02916e85ffc5397e4ac15337359f3ae", "lessThan": "3a1f4264daed4b419c325a7fe35e756cada3cf82", "status": "affected", "versionType": "git"}, {"version": "dabf41db56f378a360ff0219c467f8dfecda7dd6", "status": "affected", "versionType": "git"}, {"version": "6.0.19", "lessThan": "6.1", "status": "affected", "versionType": "semver"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/transaction.c"], "versions": [{"version": "6.1", "status": "affected"}, {"version": "0", "lessThan": "6.1", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.165", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.14", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.4", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.165"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.18.14"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.19.4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "7.0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6e10283b5519d987d880d71bec90cdc7f2ec62b3"}, {"url": "https://git.kernel.org/stable/c/e3d1fd084319f8f0830b22f014c7af6a96b4497b"}, {"url": "https://git.kernel.org/stable/c/4eb830847d84276f1c8ea46541cfeeedaba1fb63"}, {"url": "https://git.kernel.org/stable/c/80e1fda9c084dcf54819a12bc7682ec0afd2d8f4"}, {"url": "https://git.kernel.org/stable/c/201091da34c4f113af6b4a7407091c39bf29d4ca"}, {"url": "https://git.kernel.org/stable/c/3a1f4264daed4b419c325a7fe35e756cada3cf82"}], "title": "btrfs: fix block_group_tree dirty_list corruption", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix block_group_tree dirty_list corruption\n\nWhen the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the\nblock group tree to the switch_commits list before calling\nswitch_commit_roots, as we do for the tree root and the chunk root.\nHowever, the block group tree uses normal root dirty tracking and in any\ntransaction that does an allocation and dirties a block group, the block\ngroup root will already be linked to a list by the dirty_list field and\nthis use of list_add_tail() is invalid and corrupts the prev/next\nmembers of block_group_root->dirty_list.\n\nThis is apparent on a subsequent list_del on the prev if we enable\nCONFIG_DEBUG_LIST:\n\n [32.1571] ------------[ cut here ]------------\n [32.1572] list_del corruption. next->prev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538)\n [32.1575] WARNING: lib/list_debug.c:65 at 0x0, CPU#3: sync/607\n [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none)\n [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04/01/2014\n [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108/0x120\n [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202\n [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538\n [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00\n [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff\n [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538\n [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538\n [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000\n [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0\n [32.1609] Call Trace:\n [32.1610] <TASK>\n [32.1611] switch_commit_roots+0x82/0x1d0 [btrfs]\n [32.1615] btrfs_commit_transaction+0x968/0x1550 [btrfs]\n [32.1618] ? btrfs_attach_transaction_barrier+0x23/0x60 [btrfs]\n [32.1621] __iterate_supers+0xe8/0x190\n [32.1622] ? __pfx_sync_fs_one_sb+0x10/0x10\n [32.1623] ksys_sync+0x63/0xb0\n [32.1624] __do_sys_sync+0xe/0x20\n [32.1625] do_syscall_64+0x73/0x450\n [32.1626] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [32.1627] RIP: 0033:0x7f0c28d05d2b\n [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2\n [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b\n [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d\n [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000\n [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80\n [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034\n [32.1643] </TASK>\n [32.1644] irq event stamp: 0\n [32.1644] hardirqs last enabled at (0): [<0000000000000000>] 0x0\n [32.1646] hardirqs last disabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260\n [32.1648] softirqs last enabled at (0): [<ffffffff81298817>]copy_process+0xb37/0x2260\n [32.1650] softirqs last disabled at (0): [<0000000000000000>] 0x0\n [32.1652] ---[ end trace 0000000000000000 ]---\n\nFurthermore, this list corruption eventually (when we happen to add a\nnew block group) results in getting the switch_commits and\ndirty_cowonly_roots lists mixed up and attempting to call update_root\non the tree root which can't be found in the tree root, resulting in a\ntransaction abort:\n\n [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1\n [87.8272] ------------[ cut here ]------------\n [87.8274] BTRFS: Transaction aborted (error -117)\n [87.8275] WARNING: fs/btrfs/root-tree.c:153 at 0x0, CPU#4: sync/703\n [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none)\n [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0\n---truncated---"}], "id": "CVE-2026-46251", "lastModified": "2026-06-03T18:16:25.603", "metrics": {}, "published": "2026-06-03T18:16:25.603", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/201091da34c4f113af6b4a7407091c39bf29d4ca"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3a1f4264daed4b419c325a7fe35e756cada3cf82"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4eb830847d84276f1c8ea46541cfeeedaba1fb63"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e10283b5519d987d880d71bec90cdc7f2ec62b3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/80e1fda9c084dcf54819a12bc7682ec0afd2d8f4"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e3d1fd084319f8f0830b22f014c7af6a96b4497b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object