PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23157 Linux CVE debrief

A deadlock vulnerability in the Linux kernel's Btrfs filesystem can cause system hangs when memory cgroup dirty limits interact with Btrfs's internal metadata writeback threshold. Affected kernels from 2.6.29 through 6.18.8 (and 6.19-rc1 through rc7) may experience this condition when a cgroup with a small dirty limit (e.g., 16 MB) accumulates dirty Btrfs btree pages that exceed the cgroup limit but remain below Btrfs's fixed 32 MB internal threshold. This prevents writeback from occurring while the memory controller blocks new dirty pages, stalling processes in balance_dirty_pages(). The issue was resolved by removing the strict dirty metadata threshold in btree_writepages() for external callers, allowing the memory controller's view of system state to govern writeback decisions. Kernels 6.18.9 and later, or those with commit b55102826d7d (AS_KERNEL_FILE on btree_inode), are not affected.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-14
Original CVE updated
2026-06-01
Advisory published
2026-02-14
Advisory updated
2026-06-01

Who should care

Organizations running Linux systems with Btrfs and memory cgroups enabled, particularly container hosts or multi-tenant environments with constrained cgroup memory limits.

Technical summary

The Btrfs btree_writepages() function enforced a 32 MB minimum dirty metadata threshold before initiating writeback. When a memory cgroup's dirty limit was lower than this threshold (e.g., 16 MB), dirty btree pages could exceed the cgroup limit without triggering Btrfs writeback. The memory controller then blocked additional dirtying, while Btrfs refused to write back, creating a deadlock. Processes entering balance_dirty_pages() would sleep indefinitely (observed as io_schedule_timeout waits), causing system hangs. The fix removes the strict threshold for external writepage callers, deferring to the memory controller's dirty balancing. Internal callers via btrfs_btree_balance_dirty() retain threshold behavior.

Defensive priority

medium

Recommended defensive actions

  • Apply the appropriate stable kernel patch for your release line (see resource links ref-6 and ref-7).
  • Upgrade to Linux kernel 6.18.9 or later, or a stable release containing the fix.
  • If running containerized workloads with memory cgroups on affected kernels, monitor for processes stuck in D state within balance_dirty_pages() as an indicator of this deadlock.
  • Consider prioritizing patching on systems using Btrfs with memory-constrained cgroups or small dirty limits.

Evidence notes

CVE published 2026-02-14; modified 2026-06-01. CPE indicates affected versions from 2.6.29 through 6.18.8, plus 6.19-rc1 through rc7. Patches available via stable kernel Git. Root cause analysis attributed to Jan Kara in the commit message. CVSS 5.5 (MEDIUM) per NVD.

Official resources

2026-02-14