{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23251", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.990Z", "datePublished": "2026-03-18T17:01:42.483Z", "dateUpdated": "2026-05-11T22:03:14.783Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:14.783Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: only call xf{array,blob}_destroy if we have a valid pointer\n\nOnly call the xfarray and xfblob destructor if we have a valid pointer,\nand be sure to null out that pointer afterwards. Note that this patch\nfixes a large number of commits, most of which were merged between 6.9\nand 6.10."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/xfs/scrub/agheader_repair.c", "fs/xfs/scrub/attr_repair.c", "fs/xfs/scrub/dir_repair.c", "fs/xfs/scrub/dirtree.c", "fs/xfs/scrub/nlinks.c"], "versions": [{"version": "ab97f4b1c030750f2475bf4da8a9554d02206640", "lessThan": "5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202", "status": "affected", "versionType": "git"}, {"version": "ab97f4b1c030750f2475bf4da8a9554d02206640", "lessThan": "c9ccefacae0d8091683447bc338bd7741417039d", "status": "affected", "versionType": "git"}, {"version": "ab97f4b1c030750f2475bf4da8a9554d02206640", "lessThan": "d827612c81a26cc1dd83a211cfcb5ad8765da0c4", "status": "affected", "versionType": "git"}, {"version": "ab97f4b1c030750f2475bf4da8a9554d02206640", "lessThan": "ba408d299a3bb3c5309f40c5326e4fb83ead4247", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["fs/xfs/scrub/agheader_repair.c", "fs/xfs/scrub/attr_repair.c", "fs/xfs/scrub/dir_repair.c", "fs/xfs/scrub/dirtree.c", "fs/xfs/scrub/nlinks.c"], "versions": [{"version": "6.10", "status": "affected"}, {"version": "0", "lessThan": "6.10", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.10", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202"}, {"url": "https://git.kernel.org/stable/c/c9ccefacae0d8091683447bc338bd7741417039d"}, {"url": "https://git.kernel.org/stable/c/d827612c81a26cc1dd83a211cfcb5ad8765da0c4"}, {"url": "https://git.kernel.org/stable/c/ba408d299a3bb3c5309f40c5326e4fb83ead4247"}], "title": "xfs: only call xf{array,blob}_destroy if we have a valid pointer", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: only call xf{array,blob}_destroy if we have a valid pointer\n\nOnly call the xfarray and xfblob destructor if we have a valid pointer,\nand be sure to null out that pointer afterwards. Note that this patch\nfixes a large number of commits, most of which were merged between 6.9\nand 6.10."}], "id": "CVE-2026-23251", "lastModified": "2026-03-19T13:25:00.570", "metrics": {}, "published": "2026-03-18T18:16:23.090", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ba408d299a3bb3c5309f40c5326e4fb83ead4247"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c9ccefacae0d8091683447bc338bd7741417039d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d827612c81a26cc1dd83a211cfcb5ad8765da0c4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: xfs: only call xf{array,blob}_destroy if we have a valid pointer", "id": "2448710", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448710"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23251", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23251\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23251\nhttps://lore.kernel.org/linux-cve-announce/2026031845-CVE-2026-23251-259a@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab97f4b1c030750f2475bf4da8a9554d02206640,5de5be3ed7e7fa4ebde4f4b58fb9a629644f9202)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab97f4b1c030750f2475bf4da8a9554d02206640,ba408d299a3bb3c5309f40c5326e4fb83ead4247)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab97f4b1c030750f2475bf4da8a9554d02206640,d827612c81a26cc1dd83a211cfcb5ad8765da0c4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[ab97f4b1c030750f2475bf4da8a9554d02206640,c9ccefacae0d8091683447bc338bd7741417039d)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.10"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.10)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.75,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.16,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.6,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-27T10:32:13.604656+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the XFS fix, such as 6.10 or later.", "Verify that the running kernel is the patched version using uname -r and reboot the system if necessary.", "Check vendor advisories or security bulletins for additional guidance or required configuration changes.", "Consider disabling or restricting XFS usage on systems that do not need it, as a temporary measure if an immediate kernel upgrade is not possible."], "summary": {"action": "Apply Patch", "impact": "Use\u2011After\u2011Free in XFS destructors"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that incorporated the buggy XFS logic are impacted. This includes kernels from 6.9 and 6.10 as well as earlier releases that had not yet received the patch. Any system running these kernels with XFS support is vulnerable.", "description_and_impact": "The Linux XFS filesystem contains a flaw in which the xfarray and xfblob destructors are invoked without confirming that the pointer is valid. This use\u2011after\u2011free can corrupt kernel memory. If an attacker can cause the buggy destructor path to run, the kernel may crash or an attacker could gain execution at kernel privilege level, leading to denial of service or privilege escalation.", "risk_and_exploitability": "The CVSS score of 7.0 indicates a moderate\u2011to\u2011high severity. The EPSS score is below 1\u202f% and the vulnerability is not listed in CISA\u2019s KEV catalog. Based on the description, it is inferred that an attacker would need to trigger XFS file operations that exercise the destructor paths, implying a local or privileged access requirement. If unpatched, the risk remains substantial; patching mitigates the vulnerability."}}}}, "created": "2026-03-19T08:56:22.080485+00:00", "updated": "2026-03-27T15:48:30.043050+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-416"]}