CVE-2026-23141 Overview
A memory access vulnerability has been identified in the Linux kernel's Btrfs (B-tree file system) send functionality. The issue exists in the range_is_hole_in_parent() function where the code fails to check whether a file extent item is an inline extent before accessing the disk_bytenr field. For inline extents, data starts at the offset of the disk_bytenr field, which means accessing this field without proper validation can result in reading inline data incorrectly or causing invalid memory access when the inline data is less than 8 bytes and the inline extent item is the first item in the leaf.
Critical Impact
This vulnerability can lead to invalid memory access in the Linux kernel's Btrfs file system, potentially causing system instability, kernel crashes, or disclosure of sensitive metadata from other items in the leaf structure.
Affected Products
- Linux kernel with Btrfs file system support
- Systems using Btrfs send/receive functionality
- Linux distributions with affected kernel versions
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23141 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23141
Vulnerability Analysis
The vulnerability resides in the Btrfs send subsystem, specifically within the range_is_hole_in_parent() function. This function is responsible for determining whether a given range represents a hole (unallocated space) in the parent snapshot during incremental send operations.
The root issue is a missing type check for inline extents. In Btrfs, file extent items can be stored in two formats: regular extents (which have a disk_bytenr field pointing to the actual data location on disk) and inline extents (where the data is stored directly within the extent item itself, starting at the offset where disk_bytenr would normally be).
When the code attempts to access the disk_bytenr field without first verifying the extent type, it can inadvertently read inline data as if it were a disk byte number. This becomes particularly problematic in edge cases where:
- The inline data is less than 8 bytes (the size of the disk_bytenr field)
- The inline extent item is the first item in the B-tree leaf
In these scenarios, the memory access may read beyond the bounds of valid data, either accessing uninitialized memory or metadata belonging to other items in the leaf structure.
Root Cause
The vulnerability stems from improper input validation in the Btrfs send code path. The range_is_hole_in_parent() function accesses the disk_bytenr field of file extent items without first checking the extent type via the btrfs_file_extent_type() function. This omission violates the Btrfs data structure invariants where inline extents do not have a valid disk_bytenr field—instead, that memory location contains the actual file data.
Attack Vector
The vulnerability requires local access to the system with the ability to trigger Btrfs send operations on crafted file system images or snapshots. An attacker with sufficient privileges could potentially:
- Create a Btrfs subvolume containing specifically crafted inline extents
- Trigger an incremental send operation that processes the malicious extent items
- Exploit the invalid memory access to potentially leak kernel memory or cause a denial of service through a kernel crash
While exploitation requires local access and specific Btrfs operations, the vulnerability affects a fundamental kernel subsystem and could be leveraged by a malicious local user or through processing untrusted Btrfs file system images.
Detection Methods for CVE-2026-23141
Indicators of Compromise
- Kernel oops or panic messages referencing Btrfs send operations
- Unexpected crashes during btrfs send or btrfs receive commands
- Kernel log entries showing memory access violations in Btrfs code paths
- System instability when processing Btrfs snapshots with inline extents
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for Btrfs-related error messages and stack traces
- Implement system monitoring for unexpected kernel crashes during file system operations
- Use kernel live patching detection tools to verify patch status on production systems
- Deploy endpoint detection solutions capable of identifying kernel-level memory access anomalies
Monitoring Recommendations
- Enable Btrfs debugging output to capture detailed operation logs during send/receive operations
- Configure crash dump collection (kdump) to capture kernel state for post-incident analysis
- Monitor for unusual btrfs send invocations, especially from non-administrative users
- Implement file integrity monitoring on systems with sensitive Btrfs volumes
How to Mitigate CVE-2026-23141
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the inline extent check fix
- Restrict access to Btrfs send/receive operations to trusted administrators only
- Avoid processing untrusted Btrfs file system images or snapshots until patched
- Consider temporarily disabling Btrfs send functionality on critical systems if immediate patching is not possible
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix adds proper validation to check for inline extents before accessing the disk_bytenr field in the range_is_hole_in_parent() function.
Multiple patch commits are available across different kernel branches:
- Kernel Git Commit 08b096c
- Kernel Git Commit 39f83f1
- Kernel Git Commit db00636
- Kernel Git Commit f2dc6ab
System administrators should apply the appropriate patch for their kernel version and rebuild/reinstall the kernel, or upgrade to a distribution kernel package that includes the fix.
Workarounds
- Restrict Btrfs send/receive operations to trusted users with validated input
- Use alternative file system snapshot mechanisms (e.g., LVM snapshots) until patching is complete
- Implement access controls to prevent untrusted users from triggering send operations on Btrfs volumes
- Isolate systems performing Btrfs send/receive operations from untrusted network segments
# Verify current kernel version and check for available updates
uname -r
# Check for available kernel updates (Debian/Ubuntu)
apt list --upgradable | grep linux-image
# Check for available kernel updates (RHEL/CentOS)
yum check-update kernel
# Restrict btrfs command access to root only (temporary workaround)
chmod 700 /usr/sbin/btrfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
