{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23223", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.987Z", "datePublished": "2026-02-18T14:53:26.603Z", "dateUpdated": "2026-05-11T22:02:42.267Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:42.267Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix UAF in xchk_btree_check_block_owner\n\nWe cannot dereference bs->cur when trying to determine if bs->cur\naliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.\nFix this by sampling before type before any freeing could happen.\nThe correct temporal ordering was broken when we removed xfs_btnum_t."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/xfs/scrub/btree.c"], "versions": [{"version": "ec793e690f801d97a7ae2a0d429fea1fee4d44aa", "lessThan": "1d411278dda293a507cb794db7d9ed3511c685c6", "status": "affected", "versionType": "git"}, {"version": "ec793e690f801d97a7ae2a0d429fea1fee4d44aa", "lessThan": "ed82e7949f5cac3058f4100f3cd670531d41a266", "status": "affected", "versionType": "git"}, {"version": "ec793e690f801d97a7ae2a0d429fea1fee4d44aa", "lessThan": "ba5264610423d9653aa36920520902d83841bcfd", "status": "affected", "versionType": "git"}, {"version": "ec793e690f801d97a7ae2a0d429fea1fee4d44aa", "lessThan": "1c253e11225bc5167217897885b85093e17c2217", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/xfs/scrub/btree.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.72", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.72"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1d411278dda293a507cb794db7d9ed3511c685c6"}, {"url": "https://git.kernel.org/stable/c/ed82e7949f5cac3058f4100f3cd670531d41a266"}, {"url": "https://git.kernel.org/stable/c/ba5264610423d9653aa36920520902d83841bcfd"}, {"url": "https://git.kernel.org/stable/c/1c253e11225bc5167217897885b85093e17c2217"}], "title": "xfs: fix UAF in xchk_btree_check_block_owner", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BC3EBF44-550D-4B5C-9CD4-93342B1A49F4", "versionEndExcluding": "6.12.72", "versionStartIncluding": "6.9", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7099A9EC-3D54-4424-BF01-7224EF88C79C", "versionEndExcluding": "6.18.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: fix UAF in xchk_btree_check_block_owner\n\nWe cannot dereference bs->cur when trying to determine if bs->cur\naliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.\nFix this by sampling before type before any freeing could happen.\nThe correct temporal ordering was broken when we removed xfs_btnum_t."}, {"lang": "es", "value": "Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\n\nxfs: se corrige UAF en xchk_btree_check_block_owner\n\nNo podemos desreferenciar bs->cur al intentar determinar si bs->cur es un alias de bs->sc->sa.{bno,rmap}_cur despu\u00e9s de que este \u00faltimo haya sido liberado. Esto se soluciona muestreando el tipo antes de que pudiera ocurrir cualquier liberaci\u00f3n. El orden temporal correcto se rompi\u00f3 cuando eliminamos xfs_btnum_t."}], "id": "CVE-2026-23223", "lastModified": "2026-03-18T14:46:29.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-18T16:22:32.037", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1c253e11225bc5167217897885b85093e17c2217"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1d411278dda293a507cb794db7d9ed3511c685c6"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ba5264610423d9653aa36920520902d83841bcfd"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/ed82e7949f5cac3058f4100f3cd670531d41a266"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: xfs: fix UAF in xchk_btree_check_block_owner", "id": "2440674", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440674"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\nxfs: fix UAF in xchk_btree_check_block_owner\nWe cannot dereference bs->cur when trying to determine if bs->cur\naliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed.\nFix this by sampling before type before any freeing could happen.\nThe correct temporal ordering was broken when we removed xfs_btnum_t."], "name": "CVE-2026-23223", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23223\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23223\nhttps://lore.kernel.org/linux-cve-announce/2026021806-CVE-2026-23223-e3d3@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1d411278dda293a507cb794db7d9ed3511c685c6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ed82e7949f5cac3058f4100f3cd670531d41a266)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,ba5264610423d9653aa36920520902d83841bcfd)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.72,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.11,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.1,6.19.*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T17:03:56.258022+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the CVE-2026-23223 fix (refer to the patch commit in the Linux kernel Git repository).", "If a kernel upgrade is not immediately possible, unmount or otherwise disable XFS filesystems to prevent the vulnerable code path from being executed.", "Apply any vendor backport that incorporates the same use\u2011after\u2011free fix for your kernel version."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011After\u2011Free in Linux XFS kernel code"}, "threat_synthesis": {"affected_systems": "The flaw affects any Linux kernel that includes the XFS filesystem and does not contain the patch that fixed the temporal ordering issue in the use\u2011after\u2011free. No specific downstream version numbers are listed, so all kernels lacking the commit that performed the fix are considered vulnerable.", "description_and_impact": "The vulnerability manifests as a use\u2011after\u2011free bug in the XFS filesystem component of the Linux kernel, occurring when the code dereferences a freed pointer while checking block ownership in a B\u2011tree. This flaw can corrupt kernel memory and lead to a kernel crash, potentially causing denial of service. While kernel memory corruption could be leveraged for arbitrary code execution in theory, the CVE description does not detail a confirmed execution path, so such an outcome requires additional conditions not specified in the report.", "risk_and_exploitability": "The CVSS score of 7.8 indicates a moderate\u2011to\u2011high severity, but the EPSS of <1% suggests a low likelihood of active exploitation. The flaw is not listed in the CISA KEV catalog. Because the vulnerable code resides in the filesystem driver, the most likely attack vector is local and requires manipulation of XFS file system data by a privileged or compromised process."}}}}, "created": "2026-02-19T10:11:48.583923+00:00", "updated": "2026-04-15T17:30:10.420385+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}