CVE-2026-23423 Overview
CVE-2026-23423 is a memory leak vulnerability [CWE-401] in the Linux kernel's Btrfs filesystem. The flaw resides in the btrfs_uring_read_extent() function, where the pages object is not freed along error paths. The function relies on btrfs_uring_read_finished() picking up the allocation in deferred execution, but this only occurs in the success path. When allocations fail earlier or when btrfs_encoded_read_regular_fill_pages() returns a value other than -EIOCBQUEUED, the cleanup section frees other memory but leaks the pages allocation.
Critical Impact
A local authenticated user can trigger repeated memory leaks through io_uring read operations on Btrfs, exhausting kernel memory and causing denial of service.
Affected Products
- Linux kernel 6.13 (release)
- Linux kernel 7.0-rc1 through 7.0-rc7
- Btrfs filesystem with io_uring encoded read support enabled
Discovery Timeline
- 2026-04-03 - CVE-2026-23423 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-23423
Vulnerability Analysis
The vulnerability is classified as a missing release of memory after effective lifetime [CWE-401]. The btrfs_uring_read_extent() function implements io_uring-based encoded reads on Btrfs. It allocates a pages array intended to be released asynchronously by btrfs_uring_read_finished() once the read completes.
The deferred-free pattern only holds when the function successfully queues the asynchronous operation and returns -EIOCBQUEUED. If an earlier allocation fails, or if btrfs_encoded_read_regular_fill_pages() returns an error or a synchronous completion, control transfers to a cleanup label. That cleanup path releases all other resources allocated within the function but omits the pages buffer, producing a kernel memory leak on every failed invocation.
Root Cause
The root cause is inconsistent ownership transfer of the pages allocation. The code assumes successful queuing of the asynchronous read, so the cleanup path was written under the false premise that deferred completion would always reclaim the buffer. Error paths therefore drop the only reference to pages without invoking the corresponding free routine.
Attack Vector
Exploitation requires local access with privileges sufficient to issue io_uring operations against a Btrfs filesystem. An attacker repeatedly invokes encoded read operations under conditions that force the function into its error paths, such as resource pressure or crafted argument values that cause earlier allocations to fail. Each failed call leaks the pages allocation, gradually exhausting kernel memory and resulting in availability impact. The vulnerability does not expose confidentiality or integrity but degrades system stability.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-23423
Indicators of Compromise
- Steady growth of kernel slab memory associated with page allocations on hosts using Btrfs with io_uring workloads
- Repeated EIO, ENOMEM, or non-EIOCBQUEUED return codes from io_uring encoded read submissions
- Out-of-memory events or OOM-killer activity on systems with otherwise predictable memory footprints
Detection Strategies
- Audit installed kernel versions for Linux 6.13 and 7.0-rc1 through 7.0-rc7 across managed Linux hosts
- Monitor /proc/meminfo and /proc/slabinfo for unexplained increases in kernel page allocations on Btrfs-backed systems
- Correlate io_uring submission queue activity with Btrfs filesystem operations to identify abnormal patterns of failed encoded reads
Monitoring Recommendations
- Enable kernel memory leak detection (kmemleak) on test systems running affected kernels to confirm exposure
- Track per-process io_uring usage and flag non-root processes generating high volumes of Btrfs encoded read submissions
- Centralize kernel logs and watch for btrfs warnings or repeated allocation failures originating from the io_uring subsystem
How to Mitigate CVE-2026-23423
Immediate Actions Required
- Inventory Linux hosts running kernel 6.13 or any 7.0-rc release and prioritize them for patching
- Apply the upstream Btrfs fix referenced in the kernel stable tree commits as soon as vendor builds are available
- Restrict io_uring access for untrusted local users on multi-tenant systems by configuring kernel.io_uring_disabled where supported
Patch Information
The fix adds the missing free for the pages allocation in the error cleanup path of btrfs_uring_read_extent(). Patches are merged in the upstream Linux stable tree under commits 3f501412f2079ca14bf68a18d80a2b7a823f1f64, 628895890b0c9ac9129129e89455da7db95ba343, and d4f210de01eaccac61eee657f676045ef9771d07. Distribution-specific kernel updates should be applied once published.
Workarounds
- Disable io_uring system-wide using sysctl -w kernel.io_uring_disabled=2 on kernels that support the toggle
- Avoid using Btrfs encoded read interfaces from untrusted user contexts until patched kernels are deployed
- Limit local shell access on systems exposing Btrfs filesystems via io_uring to reduce exposure to local denial-of-service attempts
# Configuration example: disable io_uring for non-privileged users
sysctl -w kernel.io_uring_disabled=2
echo 'kernel.io_uring_disabled=2' | sudo tee /etc/sysctl.d/99-disable-io_uring.conf
sudo sysctl --system
# Verify current kernel version against affected releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
