CVE-2026-46251 Overview
CVE-2026-46251 is a list corruption vulnerability in the Linux kernel btrfs filesystem. The flaw exists in the block group tree commit path when the EXTENT_TREE_V2 incompatible feature flag is enabled. The kernel unconditionally adds the block group tree to the switch_commits list before calling switch_commit_roots, even when the root is already linked via its dirty_list field. This double-linking corrupts the prev/next pointers of block_group_root->dirty_list, leading to a subsequent list_del failure and an eventual btrfs transaction abort with error -117.
Critical Impact
List corruption in the btrfs commit path causes transaction aborts, filesystem unavailability, and potential filesystem inconsistency on kernels using the EXTENT_TREE_V2 layout.
Affected Products
- Linux kernel builds containing the btrfs block group tree commit logic
- Linux kernel 6.18.0 (explicitly referenced in the upstream report)
- Stable kernel branches receiving the backported fix commits
Discovery Timeline
- 2026-06-03 - CVE-2026-46251 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46251
Vulnerability Analysis
The defect resides in the btrfs transaction commit path. When EXTENT_TREE_V2 is enabled, btrfs treats the block group tree like the tree root and chunk root by adding it to the switch_commits list before calling switch_commit_roots. However, the block group tree uses normal root dirty tracking. Any transaction that performs an allocation and dirties a block group already links the block group root through its dirty_list field. The unconditional list_add_tail() on an already-linked list head overwrites the prev/next pointers and corrupts the list structure.
With CONFIG_DEBUG_LIST enabled, the corruption surfaces in __list_del_entry_valid_or_report as a warning indicating next->prev mismatch. Without debugging enabled, the corruption silently propagates. When a new block group is added later, the switch_commits and dirty_cowonly_roots lists become entangled, causing update_root to be invoked on the tree root with a key that cannot be found. The transaction is then aborted with error -117 (-ENOENT).
Root Cause
The root cause is improper list membership handling [CWE-besides general data structure misuse]. The btrfs commit logic assumes the block group tree is not already on a tracking list, but the normal dirty-root tracking path has already inserted it. The duplicate insertion via list_add_tail() corrupts adjacent list nodes.
Attack Vector
Triggering the condition requires the filesystem to be formatted with the EXTENT_TREE_V2 incompatible flag and an active transaction that allocates and dirties a block group. A local user issuing standard filesystem operations such as sync can reproduce the abort. The reported trace shows the failure occurring in switch_commit_roots invoked from btrfs_commit_transaction during a ksys_sync call. No specific exploitation primitive is described in the upstream report; the documented impact is filesystem-level denial of service through transaction abort.
No verified proof-of-concept code is published for this issue. Refer to the upstream patch commits for the exact code change that conditionally adds the block group tree to switch_commits only when it is not already on the dirty list.
Detection Methods for CVE-2026-46251
Indicators of Compromise
- Kernel warnings from __list_del_entry_valid_or_report referencing switch_commit_roots+0x82 in the btrfs module.
- BTRFS critical log entry: unable to find root key (1 0 0) in tree 1 followed by Transaction aborted (error -117).
- Unexpected btrfs filesystem remounts to read-only after sync or other commit-triggering operations.
Detection Strategies
- Monitor dmesg and the systemd journal for BTRFS critical messages and list_del corruption warnings on hosts using btrfs with EXTENT_TREE_V2.
- Query running kernels with uname -r and audit btrfs superblock features via btrfs inspect-internal dump-super to identify filesystems with EXTENT_TREE_V2 enabled.
- Correlate filesystem read-only transitions with prior kernel list corruption warnings to confirm the root cause.
Monitoring Recommendations
- Forward kernel logs to a centralized log platform and alert on the strings Transaction aborted, list_del corruption, and switch_commit_roots.
- Track btrfs filesystem health metrics, including read-only remount events and transaction abort counters.
- Maintain an inventory of Linux hosts running kernel 6.18.x to prioritize patch validation.
How to Mitigate CVE-2026-46251
Immediate Actions Required
- Apply the upstream btrfs fix from the kernel.org stable tree to all affected Linux builds.
- Schedule maintenance windows to reboot hosts onto patched kernels, prioritizing systems with btrfs EXTENT_TREE_V2 filesystems.
- Back up any btrfs volume formatted with EXTENT_TREE_V2 before further write activity to limit exposure to transaction aborts.
Patch Information
The fix is available in the Linux kernel stable tree across multiple branches. Reference commits: 201091da34c4, 3a1f4264daed, 4eb830847d84, 6e10283b5519, 80e1fda9c084, and e3d1fd084319.
Workarounds
- Avoid creating new btrfs filesystems with the EXTENT_TREE_V2 incompatible feature until patched kernels are deployed.
- For existing volumes, reduce allocation churn that dirties block groups during commit windows when an unpatched kernel must remain in production.
- Enable CONFIG_DEBUG_LIST in test environments to surface list corruption early during pre-production kernel validation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
