CVE-2026-23249 Overview
A null pointer dereference vulnerability exists in the Linux kernel's XFS filesystem btree repair functions. The vulnerability occurs when the free space (allocbt) and inode btree repair functions rebuild both btrees simultaneously. During revalidation, if a cross-reference check fails for the first btree (BNOBT), the corresponding cursor for the second btree (CNTBT) is nullified. Subsequent attempts to validate the second btree then trigger a kernel crash due to accessing a null cursor pointer.
Critical Impact
This vulnerability can cause a kernel crash (denial of service) when XFS filesystem repair operations are performed, potentially triggered through ioctl calls such as XFS_IOC_SCRUBV_METADATA or error injection via XFS_IOC_ERROR_INJECTION.
Affected Products
- Linux Kernel (XFS filesystem subsystem)
- Systems utilizing XFS filesystem with scrub/repair functionality enabled
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-23249 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-23249
Vulnerability Analysis
The vulnerability exists within the XFS filesystem's btree revalidation mechanism, specifically in the xrep_revalidate_allocbt() function. This function is designed to validate both the block number ordered btree (BNOBT) and the count ordered btree (CNTBT) after repair operations.
During the first call to xchk_allocbt() for BNOBT validation, the function performs cross-reference checks via xchk_allocbt_xref_other(). If this cross-reference fails (returning -EFSCORRUPTED), the xchk_should_check_xref() function nullifies the CNTBT cursor pointer (sc->sa.cnt_cur). When the second call to xchk_allocbt() attempts to validate the CNTBT using this now-null cursor, a null pointer dereference occurs in xchk_btree(), causing a kernel panic.
The issue was discovered through syzbot fuzzing, which demonstrated that error injection via XFS_IOC_ERROR_INJECTION could reliably trigger the crash condition during filesystem scrub operations.
Root Cause
The root cause is insufficient validation of btree cursor state between sequential btree validations. The repair revalidation logic assumes both cursors remain valid throughout the process, but error handling in cross-reference checks can nullify a cursor without checking if it will be needed for subsequent operations. The same vulnerability pattern affects xrep_revalidate_iallocbt() for inode allocation btrees.
Attack Vector
The vulnerability is triggered through filesystem ioctl operations. An attacker with local access and appropriate privileges to perform XFS filesystem operations could exploit this through:
The attack follows this call chain: xfs_file_ioctl() → xfs_ioc_scrubv_metadata() → xfs_scrub_metadata() → sc->ops->repair_eval(sc) → xrep_revalidate_allocbt(). When combined with error injection or corrupted filesystem structures, this path leads to cursor nullification and subsequent null pointer access.
Detection Methods for CVE-2026-23249
Indicators of Compromise
- Kernel panic messages referencing xchk_btree() or xrep_revalidate_allocbt() in the stack trace
- System crashes during XFS filesystem scrub or repair operations (xfs_scrub utility)
- Kernel oops logs containing null pointer dereference errors in XFS-related functions
- Unusual XFS_IOC_SCRUBV_METADATA or XFS_IOC_ERROR_INJECTION ioctl calls in system audit logs
Detection Strategies
- Monitor kernel logs for XFS-related null pointer dereference crashes using dmesg or centralized logging
- Deploy kernel crash dump analysis to identify btree cursor-related failures
- Audit ioctl system calls targeting XFS filesystems for unusual scrub operation patterns
- Implement file integrity monitoring on systems with XFS filesystems to detect repair operation anomalies
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture detailed information during kernel panics
- Configure auditd rules to track XFS ioctl operations: auditctl -a exit,always -F arch=b64 -S ioctl -F a1=0x5837 -k xfs_scrub
- Monitor for repeated XFS scrub failures in system logs which may indicate exploitation attempts
- Set up alerting for unexpected kernel crashes on systems with XFS filesystems
How to Mitigate CVE-2026-23249
Immediate Actions Required
- Apply the kernel patches from the official kernel git repository immediately
- Restrict access to XFS filesystem repair utilities to authorized administrators only
- Limit user permissions to prevent unauthorized ioctl calls to XFS filesystems
- Consider temporarily disabling XFS online scrub functionality if patching is not immediately possible
Patch Information
Multiple kernel patches have been released to address this vulnerability. The fix adds null cursor checks before attempting to revalidate the second btree, and marks repair operations as incomplete if the first tree validation corrupts the second cursor. The same fix pattern was applied to xrep_revalidate_iallocbt() which suffered from the identical issue.
Patches are available from the following sources:
- Kernel Git Commit 55e03b8
- Kernel Git Commit 5991e96
- Kernel Git Commit b04baa8
- Kernel Git Commit d69de52
Workarounds
- Disable XFS online scrub operations by restricting access to the xfs_scrub utility and related ioctl interfaces
- Use access control lists to limit which users can invoke XFS filesystem maintenance operations
- Deploy SELinux or AppArmor policies to restrict access to XFS-specific ioctl commands
- Avoid running XFS scrub operations on production systems until patches are applied
# Restrict xfs_scrub utility to root only
chmod 700 /usr/sbin/xfs_scrub
# Audit XFS ioctl operations
auditctl -a exit,always -F arch=b64 -S ioctl -F a1=0x5837 -k xfs_scrub_monitor
auditctl -a exit,always -F arch=b64 -S ioctl -F a1=0x5838 -k xfs_error_injection
# Block non-root users from XFS repair operations using capabilities
setcap -r /usr/sbin/xfs_scrub
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
