CVE-2026-23465 Overview
A vulnerability has been identified in the Linux kernel's Btrfs filesystem implementation where directory entries (dentries) are not properly logged when handling the parent directory of a conflicting inode. When the parent directory of a conflicting inode is logged, new dentries are not being recorded, leaving the parent directory's inode marked as logged without its new dentries. This can result in data loss after power failures, as explicitly fsynced directories may not have their new entries persisted to disk.
Critical Impact
After a power failure, newly created directory entries may be missing following log replay, potentially causing data loss and filesystem inconsistencies on systems using Btrfs.
Affected Products
- Linux Kernel (Btrfs filesystem component)
- Systems using Btrfs filesystem with fsync operations
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-23465 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23465
Vulnerability Analysis
The vulnerability resides in the Btrfs logging mechanism, specifically in how the filesystem handles directory entry logging when a conflicting inode scenario occurs. When a file is created with the same name and parent as a previously deleted directory that was persisted in a past transaction, the deleted directory's inode becomes a "conflicting inode" to the new file's inode.
During an fsync operation on a directory containing such a file, the Btrfs code logs the parent directory because the conflicting inode no longer exists. However, the logging logic fails to include the new dentries of that parent directory. This results in the parent directory being marked as "logged" without actually having its new directory entries recorded in the log.
The consequence is that subsequent fsync operations on the parent directory become no-ops (since the directory is already marked as logged), even though the new dentries were never actually persisted. If a power failure occurs before the next full sync, the log replay will not recreate these missing directory entries, leading to data loss.
Root Cause
The root cause is an incomplete logging operation in the Btrfs filesystem code. When logging the parent directory of a no longer existing conflicting inode, the code path fails to trigger the logging of new directory entries. The logging mechanism marks the parent inode as logged prematurely, before all associated dentries have been committed to the log tree.
Attack Vector
This is a data integrity vulnerability rather than a security exploitation vector in the traditional sense. The conditions for triggering this bug involve:
- Creating a directory and syncing it to disk
- Removing that directory
- Creating new directories and a file with the same name as the deleted directory
- Creating a hard link to that file in one of the new directories
- Performing fsync on the directory containing the hard link
- Performing fsync on the parent directory
- Experiencing a power failure before the next full filesystem sync
The scenario occurs naturally during typical filesystem operations and does not require malicious intent to trigger. However, the data loss consequences can be significant for systems relying on Btrfs journaling for data integrity.
Detection Methods for CVE-2026-23465
Indicators of Compromise
- Missing directories or files after system recovery from unexpected shutdown
- Btrfs log replay messages in kernel logs indicating incomplete recovery
- Filesystem inconsistencies detected during btrfs check operations
- User reports of missing newly created directories after power failures
Detection Strategies
- Monitor for Btrfs-related errors in kernel logs (dmesg | grep -i btrfs)
- Implement filesystem integrity checks after unexpected system restarts
- Review system logs for patterns matching power failure recovery scenarios
- Track fsync operations on Btrfs filesystems using ftrace or BPF-based monitoring
Monitoring Recommendations
- Enable Btrfs debugging output for production systems experiencing unexplained data loss
- Implement regular filesystem consistency checks using btrfs scrub and btrfs check
- Monitor UPS battery health to minimize unplanned power failure scenarios
- Consider additional backup strategies for critical data on Btrfs filesystems
How to Mitigate CVE-2026-23465
Immediate Actions Required
- Update to a patched Linux kernel version that includes the fix
- For critical systems, consider using sync instead of fsync to ensure full filesystem synchronization
- Implement proper power failure protection (UPS) for systems using Btrfs
- Review backup strategies to ensure data integrity
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix ensures that new directory dentries are properly logged whenever the parent directory of a no longer existing conflicting inode is logged. Multiple commits have been merged to stable kernel branches:
- Linux Kernel Commit 1cf30c7
- Linux Kernel Commit 56e72c8
- Linux Kernel Commit 6f5a519
- Linux Kernel Commit 9573a36
- Linux Kernel Commit f556b1e
Workarounds
- Use sync command or syncfs() system call instead of per-file fsync() for critical directory operations
- Implement application-level verification of directory contents after fsync operations
- Consider using alternative filesystems (ext4, XFS) for workloads that heavily rely on fsync semantics
- Enable Btrfs flushoncommit mount option for enhanced data safety at the cost of performance
# Configuration example - mount with flushoncommit for enhanced safety
mount -o flushoncommit /dev/sda1 /mnt/btrfs
# Alternative: Use full sync instead of fsync in scripts
sync
# Or use syncfs on specific filesystem
python3 -c "import os; os.syncfs(os.open('/mnt/btrfs', os.O_RDONLY))"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
