HIGH
btrfs ExtentRef Corruption
CVE-2026-31666
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() After commit 1618aa3c2e01 ("btrfs: simplify return variables in lookup_extent_data_ref()"), the err and ret variables were merged into a single ret variable. However, when btrfs_next_leaf() returns 0 (success), ret is overwritten from -ENOENT to 0. If the first key in the next leaf does not match (different objectid or type), the function returns 0 instead of -ENOENT, making the caller believe the lookup succeeded when it did not. This can lead to operations on the wrong extent tree item, potentially causing extent tree corruption. Fix this by returning -ENOENT directly when the key does not match, instead of relying on the ret variable.
02KernelScan AI Analysis
Risk summary
Local users with write access to btrfs filesystems can trigger extent tree corruption through incorrect return value handling in extent data reference lookups. This can lead to filesystem integrity issues and potential data corruption on affected btrfs volumes.
Vulnerability analysis
The vulnerability stems from a logic error in lookup_extent_data_ref() where a variable refactoring incorrectly changed error handling. When btrfs_next_leaf() succeeds but the found key doesn't match the target extent reference, the function returns 0 (success) instead of -ENOENT (not found). This causes callers to believe they found a valid extent reference when they didn't, leading them to operate on the wrong extent tree item. The fix ensures -ENOENT is returned directly when key matching fails, preventing operations on incorrect extent tree entries that could corrupt the filesystem's extent tracking metadata.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.82 | 4125a194db4a |
| 6.18 | 6.18.23 | 450e6a685d0c |
| 6.19 | 6.19.13 | ab1e022379c3 |
| mainline | 7.0 | 316fb1b3169e |