CRITICAL
btrfs Tracepoint Deref
CVE-2026-43117
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file() If overlay is used on top of btrfs, dentry->d_sb translates to overlay's super block and fsid assignment will lead to a crash. Use file_inode(file)->i_sb to always get btrfs_sb.
02KernelScan AI Analysis
Risk summary
Systems using overlay filesystems on top of btrfs are at risk of kernel crashes when file sync operations trigger tracepoints. This affects container environments and systems using overlay mounts, causing complete system unavailability through kernel panic.
Vulnerability analysis
The btrfs_sync_file tracepoint incorrectly uses dentry->d_sb to access the superblock, but when overlay is mounted on btrfs, this returns overlay's superblock instead of btrfs superblock. Attempting to cast and access btrfs-specific fields causes a crash. The fix uses file_inode(file)->i_sb to always get the correct btrfs superblock. Attack surface is local filesystem access with ability to use overlay mounts on btrfs.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 4a7bab35fad5 |
| 5.15 | 5.15.209 | 520e8b4bcf87 |
| 6.1 | 6.1.175 | e252db8ca2a0 |
| 6.12 | 6.12.83 | 32372781d664 |
| 6.18 | 6.18.24 | 2e4adfaec97e |
| 6.19 | 6.19.14 | d110d7cdb045 |
| 6.6 | 6.6.136 | c09a7446aab5 |
| mainline | 7.0 | a85b46db143f |