PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23249 Linux CVE debrief

CVE-2026-23249 is a Linux kernel XFS flaw where revalidating rebuilt allocation or inode btrees can dereference a cursor that was already deleted after a failed cross-reference check. The result is a kernel crash / denial of service during XFS repair evaluation. NVD rates the issue 5.5 (Medium) with local, low-privilege conditions and high availability impact.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-05-21
Advisory published
2026-03-18
Advisory updated
2026-05-21

Who should care

Linux distribution maintainers, kernel integrators, and administrators running XFS on affected Linux kernel branches should care most, especially where scrub/repair workflows are used in production or maintenance windows.

Technical summary

The bug occurs in the XFS repair path after both btrees are rebuilt and then revalidated. In xrep_revalidate_allocbt(), xchk_allocbt() is called twice; if the first pass hits a cross-reference failure, xchk_should_check_xref() can null out the cursor needed by the second pass, leading to a NULL pointer dereference when the second revalidation runs. The supplied description says the same pattern exists in xrep_revalidate_iallocbt(). The fix is to check for a deleted/null cursor before the second revalidation, mark the repair incomplete, and skip the second tree when the first tree was rebuilt but remains corrupt. NVD lists the issue under CWE-476.

Defensive priority

Medium

Recommended defensive actions

  • Upgrade to a Linux kernel version outside the vulnerable ranges listed by NVD: 6.12.75 or later in the 6.8 branch, 6.18.16 or later in the 6.13 branch, and 6.19.6 or later in the 6.19 branch.
  • Backport the upstream kernel fix if you maintain a downstream or long-term-support kernel.
  • Prioritize systems that use XFS scrub/repair tooling or automated filesystem repair workflows, since the bug is in the repair revalidation path.
  • Watch for kernel crashes or hangs during XFS metadata repair and treat them as a signal to verify kernel patch level.
  • Use the official kernel.org stable patch references in the NVD record to confirm the exact fix commit(s) for your branch.

Evidence notes

All factual claims are drawn from the supplied NVD record and the kernel.org stable patch references. NVD shows CVE-2026-23249 as published on 2026-03-18 and last modified on 2026-05-21; the later timestamp should not be treated as the original issue date. NVD classifies the bug as CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, CWE-476, and lists affected Linux kernel branches as 6.8 through earlier than 6.12.75, 6.13 through earlier than 6.18.16, and 6.19 through earlier than 6.19.6. The kernel description states that a deleted cntbt cursor can be nullified after a failed cross-reference attempt and then dereferenced during the second revalidation, and that the same fix applies to xrep_revalidate_iallocbt.

Official resources

CVE published at 2026-03-18T18:16:22.787Z and modified at 2026-05-21T18:34:07.380Z. Use the published timestamp for disclosure timing context; the modified timestamp reflects record updates.