{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23018", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.940Z", "datePublished": "2026-01-31T11:39:02.330Z", "dateUpdated": "2026-05-11T21:58:24.780Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:24.780Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\nwhile holding a path with a read locked leaf from a subvolume tree, and\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\ntrigger reclaim.\n\nThis can create a circular lock dependency which lockdep warns about with\nthe following splat:\n\n [6.1433] ======================================================\n [6.1574] WARNING: possible circular locking dependency detected\n [6.1583] 6.18.0+ #4 Tainted: G U\n [6.1591] ------------------------------------------------------\n [6.1599] kswapd0/117 is trying to acquire lock:\n [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1625]\n but task is already holding lock:\n [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\n [6.1646]\n which lock already depends on the new lock.\n\n [6.1657]\n the existing dependency chain (in reverse order) is:\n [6.1667]\n -> #2 (fs_reclaim){+.+.}-{0:0}:\n [6.1677] fs_reclaim_acquire+0x9d/0xd0\n [6.1685] __kmalloc_cache_noprof+0x59/0x750\n [6.1694] btrfs_init_file_extent_tree+0x90/0x100\n [6.1702] btrfs_read_locked_inode+0xc3/0x6b0\n [6.1710] btrfs_iget+0xbb/0xf0\n [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0\n [6.1724] btrfs_lookup+0x12/0x30\n [6.1731] lookup_open.isra.0+0x1aa/0x6a0\n [6.1739] path_openat+0x5f7/0xc60\n [6.1746] do_filp_open+0xd6/0x180\n [6.1753] do_sys_openat2+0x8b/0xe0\n [6.1760] __x64_sys_openat+0x54/0xa0\n [6.1768] do_syscall_64+0x97/0x3e0\n [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1784]\n -> #1 (btrfs-tree-00){++++}-{3:3}:\n [6.1794] lock_release+0x127/0x2a0\n [6.1801] up_read+0x1b/0x30\n [6.1808] btrfs_search_slot+0x8e0/0xff0\n [6.1817] btrfs_lookup_inode+0x52/0xd0\n [6.1825] __btrfs_update_delayed_inode+0x73/0x520\n [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120\n [6.1842] btrfs_log_inode+0x608/0x1aa0\n [6.1849] btrfs_log_inode_parent+0x249/0xf80\n [6.1857] btrfs_log_dentry_safe+0x3e/0x60\n [6.1865] btrfs_sync_file+0x431/0x690\n [6.1872] do_fsync+0x39/0x80\n [6.1879] __x64_sys_fsync+0x13/0x20\n [6.1887] do_syscall_64+0x97/0x3e0\n [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1903]\n -> #0 (&delayed_node->mutex){+.+.}-{3:3}:\n [6.1913] __lock_acquire+0x15e9/0x2820\n [6.1920] lock_acquire+0xc9/0x2d0\n [6.1927] __mutex_lock+0xcc/0x10a0\n [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1944] btrfs_evict_inode+0x20b/0x4b0\n [6.1952] evict+0x15a/0x2f0\n [6.1958] prune_icache_sb+0x91/0xd0\n [6.1966] super_cache_scan+0x150/0x1d0\n [6.1974] do_shrink_slab+0x155/0x6f0\n [6.1981] shrink_slab+0x48e/0x890\n [6.1988] shrink_one+0x11a/0x1f0\n [6.1995] shrink_node+0xbfd/0x1320\n [6.1002] balance_pgdat+0x67f/0xc60\n [6.1321] kswapd+0x1dc/0x3e0\n [6.1643] kthread+0xff/0x240\n [6.1965] ret_from_fork+0x223/0x280\n [6.1287] ret_from_fork_asm+0x1a/0x30\n [6.1616]\n other info that might help us debug this:\n\n [6.1561] Chain exists of:\n &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim\n\n [6.1503] Possible unsafe locking scenario:\n\n [6.1110] CPU0 CPU1\n [6.1411] ---- ----\n [6.1707] lock(fs_reclaim);\n [6.1998] lock(btrfs-tree-00);\n [6.1291] lock(fs_reclaim);\n [6.1581] lock(&del\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/inode.c"], "versions": [{"version": "8679d2687c351824d08cf1f0e86f3b65f22a00fe", "lessThan": "92a5590851144f034adc51fee55e6878ccac716e", "status": "affected", "versionType": "git"}, {"version": "8679d2687c351824d08cf1f0e86f3b65f22a00fe", "lessThan": "8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347", "status": "affected", "versionType": "git"}, {"version": "e8f496001e0c7832d188ab91fea294e19a128202", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/inode.c"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.19"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.9"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e"}, {"url": "https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347"}], "title": "btrfs: release path before initializing extent tree in btrfs_read_locked_inode()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "98F094CD-A7F6-4BEA-8870-C45B63E05825", "versionEndExcluding": "6.17", "versionStartIncluding": "6.16.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F0BAC72-4991-44BB-A7D4-90D634550955", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.17.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*", "matchCriteriaId": "7CC8B11D-82DC-4958-8DC7-BF5CC829A5E9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*", "matchCriteriaId": "F5DC0CA6-F0AF-4DDF-A882-3DADB9A886A7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*", "matchCriteriaId": "EB5B7DFC-C36B-45D8-922C-877569FDDF43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\nwhile holding a path with a read locked leaf from a subvolume tree, and\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\ntrigger reclaim.\n\nThis can create a circular lock dependency which lockdep warns about with\nthe following splat:\n\n [6.1433] ======================================================\n [6.1574] WARNING: possible circular locking dependency detected\n [6.1583] 6.18.0+ #4 Tainted: G U\n [6.1591] ------------------------------------------------------\n [6.1599] kswapd0/117 is trying to acquire lock:\n [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1625]\n but task is already holding lock:\n [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\n [6.1646]\n which lock already depends on the new lock.\n\n [6.1657]\n the existing dependency chain (in reverse order) is:\n [6.1667]\n -> #2 (fs_reclaim){+.+.}-{0:0}:\n [6.1677] fs_reclaim_acquire+0x9d/0xd0\n [6.1685] __kmalloc_cache_noprof+0x59/0x750\n [6.1694] btrfs_init_file_extent_tree+0x90/0x100\n [6.1702] btrfs_read_locked_inode+0xc3/0x6b0\n [6.1710] btrfs_iget+0xbb/0xf0\n [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0\n [6.1724] btrfs_lookup+0x12/0x30\n [6.1731] lookup_open.isra.0+0x1aa/0x6a0\n [6.1739] path_openat+0x5f7/0xc60\n [6.1746] do_filp_open+0xd6/0x180\n [6.1753] do_sys_openat2+0x8b/0xe0\n [6.1760] __x64_sys_openat+0x54/0xa0\n [6.1768] do_syscall_64+0x97/0x3e0\n [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1784]\n -> #1 (btrfs-tree-00){++++}-{3:3}:\n [6.1794] lock_release+0x127/0x2a0\n [6.1801] up_read+0x1b/0x30\n [6.1808] btrfs_search_slot+0x8e0/0xff0\n [6.1817] btrfs_lookup_inode+0x52/0xd0\n [6.1825] __btrfs_update_delayed_inode+0x73/0x520\n [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120\n [6.1842] btrfs_log_inode+0x608/0x1aa0\n [6.1849] btrfs_log_inode_parent+0x249/0xf80\n [6.1857] btrfs_log_dentry_safe+0x3e/0x60\n [6.1865] btrfs_sync_file+0x431/0x690\n [6.1872] do_fsync+0x39/0x80\n [6.1879] __x64_sys_fsync+0x13/0x20\n [6.1887] do_syscall_64+0x97/0x3e0\n [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [6.1903]\n -> #0 (&delayed_node->mutex){+.+.}-{3:3}:\n [6.1913] __lock_acquire+0x15e9/0x2820\n [6.1920] lock_acquire+0xc9/0x2d0\n [6.1927] __mutex_lock+0xcc/0x10a0\n [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0\n [6.1944] btrfs_evict_inode+0x20b/0x4b0\n [6.1952] evict+0x15a/0x2f0\n [6.1958] prune_icache_sb+0x91/0xd0\n [6.1966] super_cache_scan+0x150/0x1d0\n [6.1974] do_shrink_slab+0x155/0x6f0\n [6.1981] shrink_slab+0x48e/0x890\n [6.1988] shrink_one+0x11a/0x1f0\n [6.1995] shrink_node+0xbfd/0x1320\n [6.1002] balance_pgdat+0x67f/0xc60\n [6.1321] kswapd+0x1dc/0x3e0\n [6.1643] kthread+0xff/0x240\n [6.1965] ret_from_fork+0x223/0x280\n [6.1287] ret_from_fork_asm+0x1a/0x30\n [6.1616]\n other info that might help us debug this:\n\n [6.1561] Chain exists of:\n &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim\n\n [6.1503] Possible unsafe locking scenario:\n\n [6.1110] CPU0 CPU1\n [6.1411] ---- ----\n [6.1707] lock(fs_reclaim);\n [6.1998] lock(btrfs-tree-00);\n [6.1291] lock(fs_reclaim);\n [6.1581] lock(&del\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: btrfs: liberar ruta antes de inicializar el \u00e1rbol de extensiones en btrfs_read_locked_inode() En btrfs_read_locked_inode() estamos llamando a btrfs_init_file_extent_tree() mientras mantenemos una ruta con una hoja bloqueada para lectura de un \u00e1rbol de subvolumen, y btrfs_init_file_extent_tree() puede realizar una asignaci\u00f3n GFP_KERNEL, lo que puede activar la recuperaci\u00f3n. Esto puede crear una dependencia de bloqueo circular sobre la cual lockdep advierte con el siguiente splat: [6.1433] [6.1574] WARNING: posible dependencia de bloqueo circular detectada [6.1583] 6.18.0+ #4 Tainted: G U [6.1591] [6.1599] kswapd0/117 est\u00e1 intentando adquirir el bloqueo: [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, en: __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1625] pero la tarea ya est\u00e1 manteniendo el bloqueo: [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, en: balance_pgdat+0x195/0xc60 [6.1646] cuyo bloqueo ya depende del nuevo bloqueo. [6.1657] la cadena de dependencia existente (en orden inverso) es: [6.1667] -> #2 (fs_reclaim){+.+.}-{0:0}: [6.1677] fs_reclaim_acquire+0x9d/0xd0 [6.1685] __kmalloc_cache_noprof+0x59/0x750 [6.1694] btrfs_init_file_extent_tree+0x90/0x100 [6.1702] btrfs_read_locked_inode+0xc3/0x6b0 [6.1710] btrfs_iget+0xbb/0xf0 [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0 [6.1724] btrfs_lookup+0x12/0x30 [6.1731] lookup_open.isra.0+0x1aa/0x6a0 [6.1739] path_openat+0x5f7/0xc60 [6.1746] do_filp_open+0xd6/0x180 [6.1753] do_sys_openat2+0x8b/0xe0 [6.1760] __x64_sys_openat+0x54/0xa0 [6.1768] do_syscall_64+0x97/0x3e0 [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1784] -> #1 (btrfs-tree-00){++++}-{3:3}: [6.1794] lock_release+0x127/0x2a0 [6.1801] up_read+0x1b/0x30 [6.1808] btrfs_search_slot+0x8e0/0xff0 [6.1817] btrfs_lookup_inode+0x52/0xd0 [6.1825] __btrfs_update_delayed_inode+0x73/0x520 [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120 [6.1842] btrfs_log_inode+0x608/0x1aa0 [6.1849] btrfs_log_inode_parent+0x249/0xf80 [6.1857] btrfs_log_dentry_safe+0x3e/0x60 [6.1865] btrfs_sync_file+0x431/0x690 [6.1872] do_fsync+0x39/0x80 [6.1879] __x64_sys_fsync+0x13/0x20 [6.1887] do_syscall_64+0x97/0x3e0 [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1903] -> #0 (&delayed_node->mutex){+.+.}-{3:3}: [6.1913] __lock_acquire+0x15e9/0x2820 [6.1920] lock_acquire+0xc9/0x2d0 [6.1927] __mutex_lock+0xcc/0x10a0 [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1944] btrfs_evict_inode+0x20b/0x4b0 [6.1952] evict+0x15a/0x2f0 [6.1958] prune_icache_sb+0x91/0xd0 [6.1966] super_cache_scan+0x150/0x1d0 [6.1974] do_shrink_slab+0x155/0x6f0 [6.1981] shrink_slab+0x48e/0x890 [6.1988] shrink_one+0x11a/0x1f0 [6.1995] shrink_node+0xbfd/0x1320 [6.1002] balance_pgdat+0x67f/0xc60 [6.1321] kswapd+0x1dc/0x3e0 [6.1643] kthread+0xff/0x240 [6.1965] ret_from_fork+0x223/0x280 [6.1287] ret_from_fork_asm+0x1a/0x30 [6.1616] otra informaci\u00f3n que podr\u00eda ayudarnos a depurar esto: [6.1561] La cadena existe de: &delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim [6.1503] Posible escenario de bloqueo inseguro: [6.1110] CPU0 CPU1 [6.1411] [6.1707] lock(fs_reclaim); [6.1998] lock(btrfs-tree-00); [6.1291] lock(fs_reclaim); [6.1581] lock(&del ---truncado---"}], "id": "CVE-2026-23018", "lastModified": "2026-03-25T18:02:15.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-31T12:16:05.100", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: btrfs: release path before initializing extent tree in btrfs_read_locked_inode()", "id": "2435638", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435638"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: release path before initializing extent tree in btrfs_read_locked_inode()\nIn btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree()\nwhile holding a path with a read locked leaf from a subvolume tree, and\nbtrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can\ntrigger reclaim.\nThis can create a circular lock dependency which lockdep warns about with\nthe following splat:\n[6.1433] ======================================================\n[6.1574] WARNING: possible circular locking dependency detected\n[6.1583] 6.18.0+ #4 Tainted: G U\n[6.1591] ------------------------------------------------------\n[6.1599] kswapd0/117 is trying to acquire lock:\n[6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0\n[6.1625]\nbut task is already holding lock:\n[6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60\n[6.1646]\nwhich lock already depends on the new lock.\n[6.1657]\nthe existing dependency chain (in reverse order) is:\n[6.1667]\n-> #2 (fs_reclaim){+.+.}-{0:0}:\n[6.1677] fs_reclaim_acquire+0x9d/0xd0\n[6.1685] __kmalloc_cache_noprof+0x59/0x750\n[6.1694] btrfs_init_file_extent_tree+0x90/0x100\n[6.1702] btrfs_read_locked_inode+0xc3/0x6b0\n[6.1710] btrfs_iget+0xbb/0xf0\n[6.1716] btrfs_lookup_dentry+0x3c5/0x8e0\n[6.1724] btrfs_lookup+0x12/0x30\n[6.1731] lookup_open.isra.0+0x1aa/0x6a0\n[6.1739] path_openat+0x5f7/0xc60\n[6.1746] do_filp_open+0xd6/0x180\n[6.1753] do_sys_openat2+0x8b/0xe0\n[6.1760] __x64_sys_openat+0x54/0xa0\n[6.1768] do_syscall_64+0x97/0x3e0\n[6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[6.1784]\n-> #1 (btrfs-tree-00){++++}-{3:3}:\n[6.1794] lock_release+0x127/0x2a0\n[6.1801] up_read+0x1b/0x30\n[6.1808] btrfs_search_slot+0x8e0/0xff0\n[6.1817] btrfs_lookup_inode+0x52/0xd0\n[6.1825] __btrfs_update_delayed_inode+0x73/0x520\n[6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120\n[6.1842] btrfs_log_inode+0x608/0x1aa0\n[6.1849] btrfs_log_inode_parent+0x249/0xf80\n[6.1857] btrfs_log_dentry_safe+0x3e/0x60\n[6.1865] btrfs_sync_file+0x431/0x690\n[6.1872] do_fsync+0x39/0x80\n[6.1879] __x64_sys_fsync+0x13/0x20\n[6.1887] do_syscall_64+0x97/0x3e0\n[6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[6.1903]\n-> #0 (&delayed_node->mutex){+.+.}-{3:3}:\n[6.1913] __lock_acquire+0x15e9/0x2820\n[6.1920] lock_acquire+0xc9/0x2d0\n[6.1927] __mutex_lock+0xcc/0x10a0\n[6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0\n[6.1944] btrfs_evict_inode+0x20b/0x4b0\n[6.1952] evict+0x15a/0x2f0\n[6.1958] prune_icache_sb+0x91/0xd0\n[6.1966] super_cache_scan+0x150/0x1d0\n[6.1974] do_shrink_slab+0x155/0x6f0\n[6.1981] shrink_slab+0x48e/0x890\n[6.1988] shrink_one+0x11a/0x1f0\n[6.1995] shrink_node+0xbfd/0x1320\n[6.1002] balance_pgdat+0x67f/0xc60\n[6.1321] kswapd+0x1dc/0x3e0\n[6.1643] kthread+0xff/0x240\n[6.1965] ret_from_fork+0x223/0x280\n[6.1287] ret_from_fork_asm+0x1a/0x30\n[6.1616]\nother info that might help us debug this:\n[6.1561] Chain exists of:\n&delayed_node->mutex --> btrfs-tree-00 --> fs_reclaim\n[6.1503] Possible unsafe locking scenario:\n[6.1110] CPU0 CPU1\n[6.1411] ---- ----\n[6.1707] lock(fs_reclaim);\n[6.1998] lock(btrfs-tree-00);\n[6.1291] lock(fs_reclaim);\n[6.1581] lock(&del\n---truncated---"], "name": "CVE-2026-23018", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23018\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23018\nhttps://lore.kernel.org/linux-cve-announce/2026013135-CVE-2026-23018-642e@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T19:48:12.837263+00:00", "value": {"mitigation_remediation": ["Apply the Linux kernel patch that relocates the btrfs_init_file_extent_tree() call to after the path is released; the patch is available in newer mainline releases and can be applied manually via git or by installing a kernel incorporating the change.", "Upgrade the kernel to the most recent stable version that includes the fix, such as Linux 6.19 or later, ensuring the btrfs subsystem has been updated.", "After applying the patch or upgrade, monitor kernel logs for lockdep warnings about circular locking dependencies and confirm that no kernel panics occur during file operations."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects the Linux kernel, specifically btrfs on kernel versions 6.17 and the 6.19 release candidates 1 through 8. Any system running these kernels with a btrfs mount and performing file open or sync operations is exposed; other filesystems or kernel versions not listed are not impacted.", "description_and_impact": "A vulnerability in the Linux kernel\u2019s btrfs subsystem causes a circular lock dependency during file operations. In btrfs_read_locked_inode(), btrfs_init_file_extent_tree() is called while a read\u2011locked path remains held, and the function can allocate memory that triggers kernel reclamation. The allocation attempts to acquire a mutex that is already implicitly owned through a dependency chain involving fs_reclaim, leading lockdep to report a circular lock dependency. If this scenario occurs in practice, it can result in a deadlock or kernel panic, effectively preventing file access and potentially disrupting the entire system.", "risk_and_exploitability": "The CVSS score of 5.5 indicates medium severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that the bug requires local access to a system mounting btrfs, as the lock contention occurs during standard file open or sync actions. An attacker with sufficient local privileges could induce the lock cycle and cause a kernel deadlock or crash, resulting in a denial of service for file operations or system\u2011wide impact."}}}}, "created": "2026-04-18T20:00:09.273752+00:00", "updated": "2026-04-18T20:00:09.273766+00:00", "vendors": []}