{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23036", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.943Z", "datePublished": "2026-01-31T11:42:30.782Z", "dateUpdated": "2026-05-11T21:58:45.739Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:45.739Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before iget_failed() in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() if we fail to lookup the inode, we jump to\nthe 'out' label with a path that has a read locked leaf and then we call\niget_failed(). This can result in a ABBA deadlock, since iget_failed()\ntriggers inode eviction and that causes the release of the delayed inode,\nwhich must lock the delayed inode's mutex, and a task updating a delayed\ninode starts by taking the node's mutex and then modifying the inode's\nsubvolume btree.\n\nSyzbot reported the following lockdep splat for this:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n syzkaller #0 Not tainted\n ------------------------------------------------------\n btrfs-cleaner/8725 is trying to acquire lock:\n ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n\n but task is already holding lock:\n ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (btrfs-tree-00){++++}-{4:4}:\n __lock_release kernel/locking/lockdep.c:5574 [inline]\n lock_release+0x198/0x39c kernel/locking/lockdep.c:5889\n up_read+0x24/0x3c kernel/locking/rwsem.c:1632\n btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169\n btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]\n btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133\n btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395\n __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032\n btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]\n __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141\n __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176\n btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219\n flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828\n do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158\n btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3263\n process_scheduled_works kernel/workqueue.c:3346 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3427\n kthread+0x5fc/0x75c kernel/kthread.c:463\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844\n\n -> #0 (&delayed_node->mutex){+.+.}-{4:4}:\n check_prev_add kernel/locking/lockdep.c:3165 [inline]\n check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n validate_chain kernel/locking/lockdep.c:3908 [inline]\n __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237\n lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868\n __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598\n __mutex_lock kernel/locking/mutex.c:760 [inline]\n mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812\n __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]\n btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326\n btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587\n evict+0x414/0x928 fs/inode.c:810\n iput_final fs/inode.c:1914 [inline]\n iput+0x95c/0xad4 fs/inode.c:1966\n iget_failed+0xec/0x134 fs/bad_inode.c:248\n btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101\n btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837\n btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]\n btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/inode.c"], "versions": [{"version": "69673992b1aea5540199d9b8b658ede72f55a6cf", "lessThan": "65241e3ddda60b53a4ee3ae12721fc9ee21d5827", "status": "affected", "versionType": "git"}, {"version": "69673992b1aea5540199d9b8b658ede72f55a6cf", "lessThan": "1e1f2055ad5a7a5d548789b334a4473a7665c418", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/inode.c"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.7", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827"}, {"url": "https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418"}], "title": "btrfs: release path before iget_failed() in btrfs_read_locked_inode()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release path before iget_failed() in btrfs_read_locked_inode()\n\nIn btrfs_read_locked_inode() if we fail to lookup the inode, we jump to\nthe 'out' label with a path that has a read locked leaf and then we call\niget_failed(). This can result in a ABBA deadlock, since iget_failed()\ntriggers inode eviction and that causes the release of the delayed inode,\nwhich must lock the delayed inode's mutex, and a task updating a delayed\ninode starts by taking the node's mutex and then modifying the inode's\nsubvolume btree.\n\nSyzbot reported the following lockdep splat for this:\n\n ======================================================\n WARNING: possible circular locking dependency detected\n syzkaller #0 Not tainted\n ------------------------------------------------------\n btrfs-cleaner/8725 is trying to acquire lock:\n ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n\n but task is already holding lock:\n ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145\n\n which lock already depends on the new lock.\n\n the existing dependency chain (in reverse order) is:\n\n -> #1 (btrfs-tree-00){++++}-{4:4}:\n __lock_release kernel/locking/lockdep.c:5574 [inline]\n lock_release+0x198/0x39c kernel/locking/lockdep.c:5889\n up_read+0x24/0x3c kernel/locking/rwsem.c:1632\n btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169\n btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]\n btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133\n btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395\n __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032\n btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]\n __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141\n __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176\n btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219\n flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828\n do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158\n btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226\n process_one_work+0x7e8/0x155c kernel/workqueue.c:3263\n process_scheduled_works kernel/workqueue.c:3346 [inline]\n worker_thread+0x958/0xed8 kernel/workqueue.c:3427\n kthread+0x5fc/0x75c kernel/kthread.c:463\n ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844\n\n -> #0 (&delayed_node->mutex){+.+.}-{4:4}:\n check_prev_add kernel/locking/lockdep.c:3165 [inline]\n check_prevs_add kernel/locking/lockdep.c:3284 [inline]\n validate_chain kernel/locking/lockdep.c:3908 [inline]\n __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237\n lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868\n __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598\n __mutex_lock kernel/locking/mutex.c:760 [inline]\n mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812\n __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\n btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]\n btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326\n btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587\n evict+0x414/0x928 fs/inode.c:810\n iput_final fs/inode.c:1914 [inline]\n iput+0x95c/0xad4 fs/inode.c:1966\n iget_failed+0xec/0x134 fs/bad_inode.c:248\n btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101\n btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837\n btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]\n btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf\n---truncated---"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: btrfs: liberar la ruta antes de iget_failed() en btrfs_read_locked_inode() En btrfs_read_locked_inode() si no logramos buscar el inodo, saltamos a la etiqueta 'out' con una ruta que tiene una hoja bloqueada para lectura y luego llamamos a iget_failed(). Esto puede resultar en un interbloqueo ABBA, ya que iget_failed() activa el desalojo del inodo y eso causa la liberaci\u00f3n del inodo retrasado, el cual debe bloquear el mutex del inodo retrasado, y una tarea que actualiza un inodo retrasado comienza tomando el mutex del nodo y luego modificando el btree del subvolumen del inodo. Syzbot inform\u00f3 el siguiente splat de lockdep para esto: ADVERTENCIA: posible dependencia de bloqueo circular detectada syzkaller #0 No contaminado btrfs-cleaner/8725 est\u00e1 intentando adquirir el bloqueo: ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, en: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 pero la tarea ya tiene el bloqueo: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, en: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145 cuyo bloqueo ya depende del nuevo bloqueo. la cadena de dependencia existente (en orden inverso) es: -> #1 (btrfs-tree-00){++++}-{4:4}: __lock_release kernel/locking/lockdep.c:5574 [en l\u00ednea] lock_release+0x198/0x39c kernel/locking/lockdep.c:5889 up_read+0x24/0x3c kernel/locking/rwsem.c:1632 btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169 btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [en l\u00ednea] btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133 btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395 __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [en l\u00ednea] __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141 __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176 btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219 flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828 do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158 btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226 process_one_work+0x7e8/0x155c kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [en l\u00ednea] worker_thread+0x958/0xed8 kernel/workqueue.c:3427 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 -> #0 (&delayed_node->mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [en l\u00ednea] check_prevs_add kernel/locking/lockdep.c:3284 [en l\u00ednea] validate_chain kernel/locking/lockdep.c:3908 [en l\u00ednea] __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598 __mutex_lock kernel/locking/mutex.c:760 [en l\u00ednea] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812 __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [en l\u00ednea] btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326 btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587 evict+0x414/0x928 fs/inode.c:810 iput_final fs/inode.c:1914 [en l\u00ednea] iput+0x95c/0xad4 fs/inode.c:1966 iget_failed+0xec/0x134 fs/bad_inode.c:248 btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101 btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837 trfs_run_defrag_inode fs/btrfs/defrag.c:237 [en l\u00ednea] btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf ---truncado---"}], "id": "CVE-2026-23036", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-01-31T12:16:06.910", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: btrfs: release path before iget_failed() in btrfs_read_locked_inode()", "id": "2435637", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435637"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nbtrfs: release path before iget_failed() in btrfs_read_locked_inode()\nIn btrfs_read_locked_inode() if we fail to lookup the inode, we jump to\nthe 'out' label with a path that has a read locked leaf and then we call\niget_failed(). This can result in a ABBA deadlock, since iget_failed()\ntriggers inode eviction and that causes the release of the delayed inode,\nwhich must lock the delayed inode's mutex, and a task updating a delayed\ninode starts by taking the node's mutex and then modifying the inode's\nsubvolume btree.\nSyzbot reported the following lockdep splat for this:\n======================================================\nWARNING: possible circular locking dependency detected\nsyzkaller #0 Not tainted\n------------------------------------------------------\nbtrfs-cleaner/8725 is trying to acquire lock:\nffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\nbut task is already holding lock:\nffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145\nwhich lock already depends on the new lock.\nthe existing dependency chain (in reverse order) is:\n-> #1 (btrfs-tree-00){++++}-{4:4}:\n__lock_release kernel/locking/lockdep.c:5574 [inline]\nlock_release+0x198/0x39c kernel/locking/lockdep.c:5889\nup_read+0x24/0x3c kernel/locking/rwsem.c:1632\nbtrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169\nbtrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline]\nbtrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133\nbtrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395\n__btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032\nbtrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline]\n__btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141\n__btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176\nbtrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219\nflush_space+0x26c/0xb68 fs/btrfs/space-info.c:828\ndo_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158\nbtrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226\nprocess_one_work+0x7e8/0x155c kernel/workqueue.c:3263\nprocess_scheduled_works kernel/workqueue.c:3346 [inline]\nworker_thread+0x958/0xed8 kernel/workqueue.c:3427\nkthread+0x5fc/0x75c kernel/kthread.c:463\nret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844\n-> #0 (&delayed_node->mutex){+.+.}-{4:4}:\ncheck_prev_add kernel/locking/lockdep.c:3165 [inline]\ncheck_prevs_add kernel/locking/lockdep.c:3284 [inline]\nvalidate_chain kernel/locking/lockdep.c:3908 [inline]\n__lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237\nlock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868\n__mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598\n__mutex_lock kernel/locking/mutex.c:760 [inline]\nmutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812\n__btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290\nbtrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline]\nbtrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326\nbtrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587\nevict+0x414/0x928 fs/inode.c:810\niput_final fs/inode.c:1914 [inline]\niput+0x95c/0xad4 fs/inode.c:1966\niget_failed+0xec/0x134 fs/bad_inode.c:248\nbtrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101\nbtrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837\nbtrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline]\nbtrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf\n---truncated---"], "name": "CVE-2026-23036", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23036\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23036\nhttps://lore.kernel.org/linux-cve-announce/2026013121-CVE-2026-23036-17dd@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T00:52:44.775545+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a release that contains the btrfs deadlock fix. The vendor\u2019s stable updates address this issue; install the latest available revision for your distribution.", "Enable kernel lock debugging or monitor btrfs activity for signs of lockdep warnings, as they may indicate the deadlock is occurring in the field.", "If an immediate kernel update is not possible, monitor the system for hangs or unexpected reboots and plan a scheduled kernel upgrade during maintenance windows."], "summary": {"action": "Assess Impact", "impact": "Deadlock leading to system hang"}, "threat_synthesis": {"affected_systems": "The issue affects any Linux kernel that implements the btrfs file system. No specific kernel release is listed, so the vulnerability may be present in all current and older versions that expose the bug until it is patched.", "description_and_impact": "An internal bug in the Linux kernel\u2019s btrfs file system can cause an ABBA deadlock when the path to a delayed inode is released before an inode lookup failure is handled. The resulting circular lock dependency can bring the kernel to a halt, causing the system to become unresponsive or to require a reboot. The severity is not a data breach but a denial\u2011of\u2011service condition that may disrupt all processes running on the affected node.", "risk_and_exploitability": "The CVSS score of 5.5 and an EPSS of\u00a0<\u00a01% imply a moderate base risk with a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog and no publicly known exploits exist. The likely attack vector is local; an attacker may trigger the deadlock by performing btrfs file operations that cause an inode lookup to fail, such as manipulating files or triggering space reclamation. If exploited, the kernel would deadlock and a system restart would be required to recover."}}}}, "created": "2026-04-18T01:00:11.628768+00:00", "updated": "2026-04-18T01:00:11.628785+00:00", "vendors": [], "weaknesses": ["CWE-667"]}