{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23043", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.944Z", "datePublished": "2026-02-04T16:00:26.353Z", "dateUpdated": "2026-05-11T21:58:53.815Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:53.815Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix NULL pointer dereference in do_abort_log_replay()\n\nCoverity reported a NULL pointer dereference issue (CID 1666756) in\ndo_abort_log_replay(). When btrfs_alloc_path() fails in\nreplay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay()\ncalls do_abort_log_replay() which unconditionally dereferences\nwc->subvol_path when attempting to print debug information. Fix this by\nadding a NULL check before dereferencing wc->subvol_path in\ndo_abort_log_replay()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/tree-log.c"], "versions": [{"version": "2753e49176240f21e4bb10e03514f99e732704bb", "lessThan": "6d1b61b8e1e44888c643d89225ab819b10649b2e", "status": "affected", "versionType": "git"}, {"version": "2753e49176240f21e4bb10e03514f99e732704bb", "lessThan": "530e3d4af566ca44807d79359b90794dea24c4f3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/btrfs/tree-log.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6d1b61b8e1e44888c643d89225ab819b10649b2e"}, {"url": "https://git.kernel.org/stable/c/530e3d4af566ca44807d79359b90794dea24c4f3"}], "title": "btrfs: fix NULL pointer dereference in do_abort_log_replay()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix NULL pointer dereference in do_abort_log_replay()\n\nCoverity reported a NULL pointer dereference issue (CID 1666756) in\ndo_abort_log_replay(). When btrfs_alloc_path() fails in\nreplay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay()\ncalls do_abort_log_replay() which unconditionally dereferences\nwc->subvol_path when attempting to print debug information. Fix this by\nadding a NULL check before dereferencing wc->subvol_path in\ndo_abort_log_replay()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbtrfs: corrige la desreferencia de puntero NULL en do_abort_log_replay()\n\nCoverity inform\u00f3 un problema de desreferencia de puntero NULL (CID 1666756) en do_abort_log_replay(). Cuando btrfs_alloc_path() falla en replay_one_buffer(), wc->subvol_path es NULL, pero btrfs_abort_log_replay() llama a do_abort_log_replay() que desreferencia incondicionalmente wc->subvol_path al intentar imprimir informaci\u00f3n de depuraci\u00f3n. Esto se corrige a\u00f1adiendo una comprobaci\u00f3n de NULL antes de desreferenciar wc->subvol_path en do_abort_log_replay()."}], "id": "CVE-2026-23043", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-02-04T16:16:19.793", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/530e3d4af566ca44807d79359b90794dea24c4f3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6d1b61b8e1e44888c643d89225ab819b10649b2e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: btrfs: fix NULL pointer dereference in do_abort_log_replay()", "id": "2436769", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436769"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23043", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23043\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23043\nhttps://lore.kernel.org/linux-cve-announce/2026020439-CVE-2026-23043-4975@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-04-18T14:01:44.763696+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a release that contains the Btrfs null\u2011pointer dereference fix and reboot to activate it.", "If an immediate kernel upgrade is not available, restrict the use of Btrfs or keep systems out of production until a patched kernel is deployed.", "Continue to monitor kernel logs for Btrfs\u2011related panic messages so that any remaining instances of the flaw can be detected and mitigated promptly."], "summary": {"action": "Patch", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "All Linux kernel versions that include the Btrfs file system and have not yet incorporated the fix that guards the dereference in do_abort_log_replay() are affected. The CNA does not supply specific version ranges, so the impact covers any Linux kernel release before the one that includes the patch. Users running unpatched kernels that rely on Btrfs should verify whether they are running the vulnerable code path.", "description_and_impact": "The vulnerability is a NULL pointer dereference in the Btrfs file system\u2019s log replay routine. During recovery from a corrupted or incomplete log, the code attempts to print debugging information and unconditionally dereferences a pointer that may be NULL, which can cause a kernel panic and lead to a system-wide denial of service. This weakness is a classic pointer validation failure and does not grant code execution or privilege escalation, but a crash can disrupt any user with kernel access.", "risk_and_exploitability": "The CVSS score of 5.5 reflects a medium severity, while the EPSS score of less than 1\u202f% indicates a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local or requires elevated privileges to manipulate Btrfs metadata or intentionally trigger a replay failure. Existing patches add a NULL check to prevent the crash; systems that have not applied the fix remain vulnerable to a condition that may cause a kernel panic."}}}}, "created": "2026-04-18T14:15:04.105591+00:00", "updated": "2026-04-18T14:15:04.105602+00:00", "vendors": [], "weaknesses": ["CWE-476"]}