{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix block_group_tree dirty_list corruption\\n\\nWhen the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the\\nblock group tree to the switch_commits list before calling\\nswitch_commit_roots, as we do for the tree root and the chunk root.\\nHowever, the block group tree uses normal root dirty tracking and in any\\ntransaction that does an allocation and dirties a block group, the block\\ngroup root will already be linked to a list by the dirty_list field and\\nthis use of list_add_tail() is invalid and corrupts the prev\/next\\nmembers of block_group_root-\\u003edirty_list.\\n\\nThis is apparent on a subsequent list_del on the prev if we enable\\nCONFIG_DEBUG_LIST:\\n\\n [32.1571] ————[ cut here ]————\\n [32.1572] list_del corruption. next-\\u003eprev should beffff958890202538, but was ffff9588992bd538. (next=ffff958890201538)\\n [32.1575] WARNING: lib\/list_debug.c:65 at 0x0, CPU#3: sync\/607\\n [32.1583] CPU: 3 UID: 0 PID: 607 Comm: sync Not tainted 6.18.0 #24PREEMPT(none)\\n [32.1585] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS1.17.0-4.fc41 04\/01\/2014\\n [32.1587] RIP: 0010:__list_del_entry_valid_or_report+0x108\/0x120\\n [32.1593] RSP: 0018:ffffaa288287fdd0 EFLAGS: 00010202\\n [32.1594] RAX: 0000000000000001 RBX: ffff95889326e800 RCX:ffff958890201538\\n [32.1596] RDX: ffff9588992bd538 RSI: ffff958890202538 RDI:ffffffff82a41e00\\n [32.1597] RBP: ffff958890202538 R08: ffffffff828fc1e8 R09:00000000ffffefff\\n [32.1599] R10: ffffffff8288c200 R11: ffffffff828e4200 R12:ffff958890201538\\n [32.1601] R13: ffff95889326e958 R14: ffff958895c24000 R15:ffff958890202538\\n [32.1603] FS: 00007f0c28eb5740(0000) GS:ffff958af2bd2000(0000)knlGS:0000000000000000\\n [32.1605] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\\n [32.1607] CR2: 00007f0c28e8a3cc CR3: 0000000109942005 CR4:0000000000370ef0\\n [32.1609] Call Trace:\\n [32.1610] \\u003cTASK\\u003e\\n [32.1611] switch_commit_roots+0x82\/0x1d0 [btrfs]\\n [32.1615] btrfs_commit_transaction+0x968\/0x1550 [btrfs]\\n [32.1618] ? btrfs_attach_transaction_barrier+0x23\/0x60 [btrfs]\\n [32.1621] __iterate_supers+0xe8\/0x190\\n [32.1622] ? __pfx_sync_fs_one_sb+0x10\/0x10\\n [32.1623] ksys_sync+0x63\/0xb0\\n [32.1624] __do_sys_sync+0xe\/0x20\\n [32.1625] do_syscall_64+0x73\/0x450\\n [32.1626] entry_SYSCALL_64_after_hwframe+0x76\/0x7e\\n [32.1627] RIP: 0033:0x7f0c28d05d2b\\n [32.1632] RSP: 002b:00007ffc9d988048 EFLAGS: 00000246 ORIG_RAX:00000000000000a2\\n [32.1634] RAX: ffffffffffffffda RBX: 00007ffc9d988228 RCX:00007f0c28d05d2b\\n [32.1636] RDX: 00007f0c28e02301 RSI: 00007ffc9d989b21 RDI:00007f0c28dba90d\\n [32.1637] RBP: 0000000000000001 R08: 0000000000000001 R09:0000000000000000\\n [32.1639] R10: 0000000000000000 R11: 0000000000000246 R12:000055b96572cb80\\n [32.1641] R13: 000055b96572b19f R14: 00007f0c28dfa434 R15:000055b96572b034\\n [32.1643] \\u003c\/TASK\\u003e\\n [32.1644] irq event stamp: 0\\n [32.1644] hardirqs last enabled at (0): [\\u003c0000000000000000\\u003e] 0x0\\n [32.1646] hardirqs last disabled at (0): [\\u003cffffffff81298817\\u003e]copy_process+0xb37\/0x2260\\n [32.1648] softirqs last enabled at (0): [\\u003cffffffff81298817\\u003e]copy_process+0xb37\/0x2260\\n [32.1650] softirqs last disabled at (0): [\\u003c0000000000000000\\u003e] 0x0\\n [32.1652] —[ end trace 0000000000000000 ]—\\n\\nFurthermore, this list corruption eventually (when we happen to add a\\nnew block group) results in getting the switch_commits and\\ndirty_cowonly_roots lists mixed up and attempting to call update_root\\non the tree root which can’t be found in the tree root, resulting in a\\ntransaction abort:\\n\\n [87.8269] BTRFS critical (device nvme1n1): unable to find root key (1 0 0) in tree 1\\n [87.8272] ————[ cut here ]————\\n [87.8274] BTRFS: Transaction aborted (error -117)\\n [87.8275] WARNING: fs\/btrfs\/root-tree.c:153 at 0x0, CPU#4: sync\/703\\n [87.8285] CPU: 4 UID: 0 PID: 703 Comm: sync Not tainted 6.18.0 #25 PREEMPT(none)\\n [87.8287] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-4.fc41 0\\n—truncated—“,”published”:”2026-06-03T15:49:47.684Z”,”modified”:”2026-06-05T06:06:23.688Z”,”type”:”cve”,”title”:”btrfs: fix block_group_tree dirty_list corruption”,”source”:”Linux”,”references”:”https:\/\/git.kernel.org\/stable\/c\/6e10283b5519d987d880d71bec90cdc7f2ec62b3\\nhttps:\/\/git.kernel.org\/stable\/c\/e3d1fd084319f8f0830b22f014c7af6a96b4497b\\nhttps:\/\/git.kernel.org\/stable\/c\/4eb830847d84276f1c8ea46541cfeeedaba1fb63\\nhttps:\/\/git.kernel.org\/stable\/c\/80e1fda9c084dcf54819a12bc7682ec0afd2d8f4\\nhttps:\/\/git.kernel.org\/stable\/c\/201091da34c4f113af6b4a7407091c39bf29d4ca\\nhttps:\/\/git.kernel.org\/stable\/c\/3a1f4264daed4b419c325a7fe35e756cada3cf82″,”id”:”CVE-2026-46251″,”bulletinFamily”:””,”cwe”:null,”cvelist”:null,”sourceData”:”Linux Linux 14033b08a02916e85ffc5397e4ac15337359f3ae\\nLinux Linux 14033b08a02916e85ffc5397e4ac15337359f3ae\\nLinux Linux 14033b08a02916e85ffc5397e4ac15337359f3ae\\nLinux Linux 14033b08a02916e85ffc5397e4ac15337359f3ae\\nLinux Linux 14033b08a02916e85ffc5397e4ac15337359f3ae\\nLinux Linux 14033b08a02916e85ffc5397e4ac15337359f3ae\\nLinux Linux dabf41db56f378a360ff0219c467f8dfecda7dd6\\nLinux Linux 6.0.19\\nLinux Linux 6.1″,”sourceHref”:””,”cvss”:{“score”:8.4,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Linux”,”version”:”14033b08a02916e85ffc5397e4ac15337359f3ae”,”vendor”:”Linux”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”In the Linux kernel, the following vulnerability has been resolved:\\n\\nbtrfs: fix block_group_tree dirty_list corruption\\n\\nWhen the incompat flag EXTENT_TREE_V2 is set, we unconditionally add the\\nblock group…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,74,12,15,13,7,11,5],"class_list":["post-59981","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-84","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n