HIGH Published 2026-02-18

xfs Scrub UAF

CVE-2026-23223

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: xfs: fix UAF in xchk_btree_check_block_owner We cannot dereference bs->cur when trying to determine if bs->cur aliases bs->sc->sa.{bno,rmap}_cur after the latter has been freed. Fix this by sampling before type before any freeing could happen. The correct temporal ordering was broken when we removed xfs_btnum_t.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in XFS filesystem scrub code could allow local attackers to cause system crashes or potentially execute arbitrary code in kernel context. The bug occurs when checking btree block ownership during filesystem scrub operations, where freed memory is accessed when determining btree types.

Affectedfs/xfs/scrub/btree.c

Vulnerability analysis

Root Cause: The vulnerability occurs in xchk_btree_check_block_owner() where bs->cur is dereferenced after it may have been freed. The issue was introduced when xfs_btnum_t was removed and replaced with function calls to xfs_btree_is_bno() and xfs_btree_is_rmap(). These functions dereference bs->cur->bc_ops to determine the btree type, but this happens after bs->cur may have been set to NULL or freed in the cleanup path.

Attack Surface: This vulnerability affects the XFS filesystem scrub functionality, which is typically used for filesystem maintenance and integrity checking. It requires local access with sufficient privileges to trigger filesystem scrub operations. The vulnerability is in kernel space and could potentially be exploited by local users with appropriate filesystem access permissions.

Fix Mechanism: The fix samples the btree type information (is_bnobt and is_rmapbt) early in the function before any potential freeing occurs. This is done by calling xfs_btree_is_bno(bs->cur->bc_ops) and xfs_btree_is_rmap(bs->cur->bc_ops) immediately after the NULL check, storing the results in local boolean variables. Later comparisons use these cached values instead of dereferencing the potentially freed bs->cur pointer.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.72	`1d411278dda2`
6.18	6.18.11	`ed82e7949f5c`
6.19	6.19.1	`ba5264610423`
mainline	7.0	`1c253e11225b`