PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23141 Linux CVE debrief

A vulnerability in the Linux kernel's Btrfs filesystem send functionality could allow invalid memory access when processing inline extents. The issue occurs in range_is_hole_in_parent() where the disk_bytenr field of a file extent item is accessed without first verifying whether the extent is inline. For inline extents, data begins at the offset of the disk_bytenr field, meaning accessing this field reads inline data rather than a disk address. If inline data is smaller than 8 bytes, this can cause invalid memory access when the inline extent item is the first item in a leaf, or result in reading metadata from other items. The vulnerability is local, requires low privileges, and can lead to denial of service through system crash.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-14
Original CVE updated
2026-06-01
Advisory published
2026-02-14
Advisory updated
2026-06-01

Who should care

Linux system administrators running Btrfs filesystems with send/receive functionality enabled; organizations using Btrfs for backups or replication; kernel maintainers and distribution security teams responsible for stable kernel updates

Technical summary

The Btrfs send feature in the Linux kernel contains a flaw in range_is_hole_in_parent() where file extent items are processed without checking for inline extents. Inline extents store data directly in the file extent item structure, with data starting at the disk_bytenr field offset. When code treats this field as a disk block address rather than inline data, it can read incorrect data or cause out-of-bounds memory access. If the inline extent is the first item in a Btrfs leaf and contains fewer than 8 bytes, the access can extend beyond valid memory boundaries. This is a local vulnerability exploitable by users with permissions to perform Btrfs send operations, resulting in potential system crash (denial of service). The fix adds proper inline extent detection before accessing disk_bytenr.

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your affected version stream (4.11+, 6.7+, 6.13+, or 6.19-rc series)
  • Upgrade to a fixed kernel version: 6.6.122 or later, 6.12.67 or later, 6.18.7 or later, or 6.19-rc6 or later
  • If immediate patching is not possible, restrict untrusted local access to Btrfs send operations
  • Monitor kernel logs for unexpected crashes during Btrfs send operations as potential indicators of exploitation attempts

Evidence notes

The CVE description and NVD metadata confirm this is a resolved Linux kernel vulnerability in Btrfs send operations. Multiple stable kernel patches are available. The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector with low attack complexity, low privileges required, no user interaction, and high availability impact. Affected versions span Linux kernel 4.11 through 6.6.121, 6.7 through 6.12.66, 6.13 through 6.18.6, and 6.19-rc1 through 6.19-rc5.

Official resources

2026-02-14